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[57] ABSTRACT 

A secure front-end communication system which cou- 
ples a plurality of actively redundant process control 
computers to a computer network. The system includes 
a front end computer which is capable of establishing 
time limited communication contracts with one or more 
computer entity on the computer network Each time 
limited communication contract is based upon an ac- 
ceptable response to the transmission of an unpredicable 
signal from the front end computer, such as an en- 
crypted transformation of a psuedo-random number 
generated by the front end computer. A security table is 
used to identify the network entities that are permitted 
to send write command messages to the process control 
computers to which the front end computer is con- 
nected. The front end computer also includes at least 
one permissive table which is used to determined 
whether a write command message from the network 
entity should be transmitted to the process control com- 
puter for which the message was intended. 
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/output devices to the back-up data processor via a dual 
SECURE COMMUNICATION SYSTEM FOR ported memory connected between the two processors. 

RE-ESTABLISHING TIME LIMITED In contrast with the above networked control sys- 

COMMUNICATION BETWEEN FIRST AND terns, another control technique for redundant process 

SECOND COMPUTERS BEFORE 5 control computers exists in which both of the process 

COMMUNICATION TIME PERIOD EXPIRATION control computers operate on input data and issue con- 
USING NEW RANDOM NUMBER trol commands to the same output devices. This type of 

control technique may be referred to as active redun- 
This is a continuation of U.S. patent application Ser. dancy, became each of the redundant process control 
No. 08/191,766, filed Feb. 4, 1994, now abandoned, 10 computers operate independently and concurrently on 
which is a continuation of U.S. patent application Ser. common input data. A discussion of this type of control 
No. 07/898,923, filed Jun. 12, 1992 (abandoned). technique may be found in the Glaser et al U.S. patent 

BACKGROUND OF THE INVENTION ^^SSj^SSSSSS&Z 
The present invention generally relates to "front- 15 tern Having Triply Redundant Remote Field Units", 
end" communication techniques between process con* This application is hereby incorporated by reference. 
- trol computers and a plant/local area network. More The use of active redundancy as a control technique 
specifically, the present invention relates to a front-end presents a difficult problem in terms of communication 
communication system which is capable of securely with the plant computer network, as each actively re- 
handling messages from the plant area network which 20 dundant process control computer win receive a set of 
could affect the operation of a process control com* input values and each of these process control comput- 
puter. ers will generate a set of output values. In the case 
In chemical inanufacturing plants and other relatively where the actively redundant process control comput- 
large processing plants, a network of control computers ers arbitrate or resolve some or all of the input and/or 
and operator workstations may be needed to achieve output values, to the extent that differences do exist, 
automated control of an ongoing physical process in the then multiple sets of input and output values could be 
plant For example, the Jones eL al U.S. Pat No. created. For example, a set of pre-arbitration and post- 
4,663,704, issued on May 5, 1987, shows a distributed arbitration input data values could potentially be avail- 
processing system for a plant in which a single data ^ able from each of the actively redundant process con- 
highway connects all the various input/output termi- trol computers. Accordingly, it would be desirable to 
nals, data acquisition stations, control devices, record enable some or all of these data sets to be matched up 
keeping devices and so forth. Similarly, the Henzel U.S. and analyzed by another computer on the plant network 
Pat No. 4,607,256, issued on Aug. 19, 1986, shows a without interfering with or slowing down the operation 
plant management system which utilizes a plant control 35 of the actively redundant process control computers, 
bus for the purpose of transmitting data to physical Additionally, it would be desirable to permit one or 
computer modules on the network. more of the computers on the plant network to modify 
In some of these process control computer networks, certain values used by the program in each of the ac- 
redundant process control computers are employed to tively redundant process computers as the need may 
enhance the reliability of the plant control and monitor- 40 arise, such as analog constants. However, it should be 
ing system. For example, the Fiebig et al U.S. Pat No. appreciated that such an activity would need to be 
5,008,805, issued on Apr. 16, 1991, shows a networked restricted in some manner, as predictable changes in the 
control system which includes a "hot standby" redun- operation of physical devices should be assured, 
dant processor that synchronously processes a control Accordingly, it is a principal objective of the present 
schedule table for comparison with control messages 45 invention to provide a secure front-end communication 
from a sender processor that are transmitted on the system and method for controlling signals transfers 
network. The redundant listener processor maintains a between an actively redundant process control com- 
duplicate configuration in its memory ready to take puter and a plant/local area network, 
over control of the system in the event of a failure of die It is another objective of the present invention to 
sender processor. As another example, the Mclaughlin 50 provide a secure front-end communication system 
et al U.S. Pat No. 4,958,270, issued on Sep. 18, 1990, which is capable of evaluating an instruction from the 
shows a networked control system which employs a plant/local that could affect the operation of the ac- 
primary controller and a secondary controller. In order tively redundant process control computer, 
to maintain consistency between the primary data base It is also an objective of the present invention to 
and a secondary image of the data base, only predeter- 55 provide a secure front-end communication system 
mined areas changed are updated as a way of increasing which insures that there is proper alignment with the 
the efficiency of the update function. Similarly, the operating program in the actively redundant process 
Slater U.S. Pat No. 4,872,106, issued on Oct 3, 1989, control computers. 

shows a networked control system which employs a It is a further objective of the present invention to 
primary data processor and a back-up data processor. 60 provide a secure front-end communication system 
Normally, the back-up processor will be in a back-up which enables one of the actively redundant process 
mode of operation, and it will not operate to exercise control computers to receive a revised operating pro- 
control over the input/output devices or receive data gram without adversely affectly the operation of the 
concerning the states of the input/output devices. Ac- other actively redundant process control computer, 
cordingly, control over the input/output devices is 65 It is an additional objective of the present invention 
exclusively carried out by the primary processor. How- to provide a secure front-end communication system 
ever, the primary processor periodically transfers status and method which is capable of utilizing a plurality of 
data relating to its operation in the control of the input- different communication protocols and encryption 
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techniques depending upon the type of message being FIG. 11 is a block diagram of the EFQ circuit shown 

transmitted in FIG. 1 

SUMMARY OF THE INVENTION DETAILED DESCRIPTION OF THE 

, _ ... . . PREFERRED EMBODIMENTS 

To achieve the foregoing objectives, the present in- 5 ™^.rj^^*^> wxvwix 

vention provides a secure frontend communication sys- Referring to FIG. 1, a block diagram is shown of an 
tern which is interposed between a plurality of actively intelligent front-end communication system 10 which is 
redundant process control computers and a computer coupled to a pair of actively redundant process control . 
network. The secure front-end communication system computers \2a-12b. Each of the process control corn- 
includes a front end computer which is capable of estab- 10 puters Xla-\2b receive common input data from field 
lishing time limited communication contracts with one computer units (not shown) or other suitable field in- 
or more computer entity on the computer network. In strumentation. In this regard, the Glaser et aL U.S. 
accordance with the method of the present invention, patent application Ser. No- 07/864,931 still pending, 
each of these time limited communication contracts is referenced above, describes in detail the communication 
based upon an acceptable response to the transmission IS and control links between a pair of actively redundant 
of an unpredicable signal from the front end computer. process control computers, such as process control 
More particularly, the acceptable response is preferably computers 12a-X2b> and the input/output .deyfces di- 
in the form of an encrypted transformation of a psuedo- rectly associated with the physical process being con- 
random number generated by the front end computer. trolled 

Additionally, before the time limited communication 20 While the redundancy of two actively operating pro- 
contract expires, the front end computer will negotiate cess control computers has certain fault tolerance ad- 
a new tim* limited communication contract with the vantages over a single decision making process control 
computer entity on the computer network using a new computer, it should be understood that the principles of 
psuedo-random number. the present invention are not limited to any particular 
In one form of the present invention, the front end 25 configuration of process control computers. Thus, for 
computer also includes at least one permissive table example, it may be desirable to employ three process 
which is used to determined whether a write command control computers in the place of the two process con- 
message from the network entity should be transmitted trol computers 12a-12b shown in FIG. 1 under the ap- 
to the process control computer for which the message propriate circumstances. 

was intended. A security server is also included on the 30 In the present embodiment, the process control corn- 
computer network for transacting a security table to the puters licz-126 preferably operate concurrently on all 
front end computer. The security table is used to iden- of the signals transmitted from one or more field com- 
tify the network entities that are permitted to send write puter units. In other words, each of the process control 
command messages to the process control computers to computers Ha-Hb are capable of making independent 
which the front end computer is connected. 35 decisions based upon the data received by these redun- 

Additional features and advantages of the present dant computers from the field. The decisions made by 

invention wOl become more fully apparent from a read- the process control computers Ha-X2b determine the 

ing of the detailed description of the preferred embodi- output signal values which are ultimately directed to 

ment and the accompanying drawings in which: specific output devices (eg., valves, pump motors and 

„ ^„ ^« * « r~*~ « 40 reactor heaters) by the appropriate field computer units. 

BRIEF DESCRIPTION OF THE DRAWINGS While the output signal^ues are preferably reconciled 

FIG. 1 is a block diagram of an intelligent front-end at least to some extent between the two actively redun- 

communication system for a plurality of actively redun- dant process control computers I2a-12b before the 

dant process control computers which utilizes a stealth transmission of these signals to the field, it should be 

interface according to the present invention. 45 understood that two independent sets of output signal 

FIGS. 2A and 2B provide a diagrammatic representa- values could be communicated to the field computer 

tion of the data tables stored in a time aligned reflective units. In this regard, the input values received from a 

memory buffer and the Correlate buffer shown in FIG. field computer unit could be arbitrated, which should 

1. make it unnecessary to reconcile or arbitrate output 

FIG. 3 is a block diagram of the stealth interface 50 values. This is because both of the process control corn- 
shown in FIG. 1. puters tea-VZb would then be working with the same 

FIG. 4A and 4B comprise a schematic diagram of the process control program and operating on the same set 

stealth interface of FIGS. 1 and Z of arbitrated input values. 

FIGS. 5A and 5B illustrate two timing diagrams for As an example of a preferred form of possible value 

the stealth interface. 55 reconciliation, corresponding input value tables in each 

FIGS. 6A-6E comprise a set of flow charts Olustrat- of the process control computers Ha-VZb could be 
ing particular aspects of the security and validation compared during a preset time period, and one of the 

methods according to the present invention. values could be chosen for each input value signal to be 

FIG. 7 is a block diagram of the application software subjected to the process control program. This selection 

for the front end computers shown in FIG. 1, 60 of input values could be made on a suitable criteria to 

FIG. 8 is a diagrammatic illustration of the configura- the process being controlled, such as the use of the 

tion for the front end computers. value determined by the Left process control computer 

FIG. 9 is a a diagrammatic illustration of the relation- 12a when the value determined by the Right process 
ship between the reflective memory buffers in the front control computer 12b is within a certain predetermined 
end computers, the transfer map in the EFS circuit and 65 percentage limit (eg., 2.5%). Otherwise, the distinct 

the data memory in the process control computers. input values of both the Left and Right process control 

FIG. 10 is a block diagram of the EFS circuit shown computers could each be employed when these values 

in FIG. L are found to be outside the predetermined percentage 



12/23/2003/ EAST Version: 1.4.1 



5,428,745 

5 6 

limit Alternatively, the selection of different input/out- general reference number will also be used for other 

put values from the Left and Right process control duplicative components in the system, 

computers could be made on the basis of a software The stealth interface 16 provides transparent data 

implemented preference. Thus, for example, under cer- transfers between the process control computer to 

tafn process conditions, it may be considered more ap- 5 which it is connected and external communication de- 

propriate to select either the high or low value, regard- vices. In this regard, the data transfers are transparent 

less of whether the value was determined by the Left or to the process control computer 12 in that the operation 

Right process control computer. of me process control computer is not delayed or other- 

To facilitate this arbitration or reconciliation process, wise adversely affected by a transfer of its data to one or 
a parallel communication link 14 is provided between 10 more external communication devices. The stealth in- 
the process control computers 12a- 126. Parallel com- terface 16 also enables the transfer of messages from an 
munication link 14 is referred to as the •'major" linV, as external communication device without affecting the 
it permits a direct transfer of data and timing signals operation of the process control computer 12. The pri- 
between the process control computers. It should also marv exam P le of such external communication de- 
be noted that the Left process control computer 12a is 15 * *h°wn in FIG. 1 to be compnsedof a pair of 
labeled "fox", while the Right process control com- redundant front end computers The front end 
puter 12b is labeled "dog". These are logical desigaa- .. c^mputeTs.lte-Mdaie redundant, because c^unica- . 
ions for alternative operating modes of the process * on P aths « Provided for enabling each of these front 
control computers 12a-12fc „ ^^ff.lS e f*f lge ^j^^f geS 

While each of the process control computers Ua-AZb 20 ^ ^f^^T^f** -a 

make independent decisions, which may be subject to *°. n ^uters 18^1W prov^e^a 

arbitratk>nTto process control computer currently in Inghlymtemgent mterf ace between the ste^th mterface 

- - "\ aK n;t,r « wa cc ^„tr^i circuits 16a-166 and a plant/local area network, which 

the fox mode has the abikty to force the process control fe gencra Ti y designated by reference numeral 20. How- 
computer mthe^g mode to move to 

ma programmed sequence in order to keep the cooper- ft m Wc of communicating with each of the 
atrve efforts of the two process control computers m ^J^^ l6a _ m> h Md ^ appreci . 
relativesynchroiii2atioii. AdtooiiaUy, the process con- ated that this redundancy is not required, and that a 
trol computer m the fox mode will transmit a timing ^ end com M ^ ^ ^ 
signal to the ^ocess control computer m the dog mode M propriate appH cation. Additionally, as will be more 
at the beginning of its process control program cycle apparent from ^ discussion below, each of the stealth 
(e-g., a one second period), so that the process control interface circuits are capable of exchanging data and 
computer in the dog mode will know to begin a new messages with other external communication devices, 
process control program cycle as welt As the process ^ well ^ ^ front ^ computers 1&2-18& 
control computers t2a-Hb operate under their own 35 ^ illustrated in FIG. 1, the stealth interface circuit 
clock oscillators, the detection and interpretation of this 16 fataies a dual-ported memory **DPM W 22 which 
program cycle timing signal by the process control resides on the bus structure of the process control corn- 
computer in the dog mode wfll help to periodicaDy keep puter u indeed, in the embodiment disclosed herein, 
these process control computers in relative synchroni- th e dual-ported memory 22 provides the primary or 
zation. However, it should be appreciated that the pro- 40 on]y data memory for the process control computer 12. 
gram cycle of the process control computer in the dog Thus, in accordance with the present invention, the 
mode will typically follow the program cycle of the stealth interface circuit 16 will selectively grant external 
process control computer in the fox mode by the period devices direct access to the data memory of the process 
of time it takes to transmit and then detect the program control computer itself. The dual-ported memory 22 
cycle timing signal (eg., 20-microseconds to 20-mil- 45 includes an internal port which is connected to the bus 
liseconds). structure of the process control computer 12 and an 

In the event that process control computers 12a-12b external port, which is sometimes ref erred to herein as 

are temporarily not able to cormniinicate over the major the stealth port While the dual-ported memory 22 

Hnk 14, each of these process control computers will could be configured to provide additional ports, the 

continue their operations in a mode which assumes that so dual-ported memory preferably inclv^^ an arbitration 

they are operating alone. In this mode of operation, it circuit which enables a plurality of external communi- 

should be appreciated that die program cycles of the cation devices to have alternative access to the stealth 

process control computers \2a-l2b may gradually drift port. In other words, only one external device will be 

apart in time relative to each other. Nevertheless, as able to use the data and address lines of the stealth port 

will be seen from the discussion below, the front end 55 at any given time when access to the dual-ported mem* 

communication system 10 is designed to enable data ory is permitted through the stealth port, even though 

received from the process control computers 12a-l2b more than one external device may ultimately be cou- 

to be time aligned for real-time analysis. pled to the data and address lines of the stealth port In 

As illustrated in FIG. 1, each of the process control the present embodiment, the stealth interface arbitration 

computers 12a-12b includes a stealth interface accord- 60 circuit employs a first-come, first-serve approach to 

ing to the present invention. In particular, process con- granting access rights. 

trol computer 12a includes stealth interface circuit 16a, However, in accordance with the present invention, 

while process control computer 126 includes stealth this arbitration circuit operates only on the stealth port 

interface circuit 16b. As the stealth interface circuits There is no arbitration per se between the internal and 

lftz-166 comprise identical circuits, these stealth inter- 65 external ports of the stealth interface circuit 16. Rather, 

face circuits are sometimes referred to generally herein access to the dual-ported memory 22 from the exter- 

as stealth interface circuit 16. Due to the redundant nal/stealth port is available only during those times 

nature of the front end communication system 10, a when the process control computer 12 cannot access 
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the dual-ported memory. More specifically, in the form the process control computer 12 to the front end com- 
of the invention disclosed herein, the machine cycle of puter 18. The mailbox section 26 is used to provide a 
the process control computer 12 is utilized to control specific region in memory for storing messages from 
access to the dual-ported memory 16. As is well known, external devices, such as the front end computers 
the central process unit of any computer must fetch and S 1&Z-18& In this regard, it should be appreciated that the 
decode one or more programmed instructions in order memory locations of the mailbox section 26 do not need 
to operate on one or more data words. In computers to be physically contiguous. While the mailbox section 
based upon the yon Neumann architecture, it typically 26 may be configured to hold more than one message at 
takes several computer clock cycles to fetch, decode any one time, depending upon the message transmission 
and execute an instruction. However, in the present 10 protocol employed, the mailbox section need only be 
embodiment, the process control computer 12 is based large enough to hold one complete message. These ~\ 
on the Harvard architecture, which permits both an messages may be as simple as an external request for the 
op-code instruction and the operand data for this in- process control computer 12 to gatherjnd-tran^mit, 
struction to be fetched in the same clock cycle. This is tiealth^status data from a remote field computer u nit 
because a computer based upon the Harvard architec- 15 that it mav obtain less frequently. A message may also 
ture includes physically separate instruction and data include a command to change a particular variable 
stores, and each of these stores have their own address stored in the dual-ported data memory 22. Additionally, 
and data lines to the central processing unit Thus, dur- the 'mailbox section 26 of the dual-ported data memory 
ing the portion of the clock cycle for the process con- 22 may also be used to electronically convey a program 
trol computer 12 that is devoted to fetching and decod- 20 revision to the process control computer 12. / 
ing an instruction, the dual-ported data memory 22 may As will be more fully discussed below, the stealth 
be accessed from the stealth port Then, during the interface circuit 16 includes a guardian circuit which 
portion of the clock cycle for the process control com- prevents any external entity from writing to any mem- 
puter 12 that is devoted to fetching the operand from cry locations in the variable section 24 of the dual- 
the data store, the process control computer will have 25 ported data memory 22. Thus, while some or all of the 
access to the dual-ported data memory 22 from the memory locations in the dual-ported data memory 22 
internal port may be read from the stealth port, an external entity is 

In accordance with the present invention, the stealth only permitted to write to the memory locations in the 
interface circuit 16 watches for a specific transition in mailbox section 26 of the dual-ported memory 22. This 
the memory clock signal of the process control com- 30 feature of the present invention provides a hardware 
puter 12 in order to determine when the stealth port safe-guard at the process control computer 12 which 
may have access to the dual-ported data memory 16. In insures that no external entity will be able to inadver- 
this regard, it should be understood that the process tentiy interfere with the data processing operations of 
control computer itself is not affected by this external the process control computer 12. As will be more ap- 
access, as external access is permitted by the stealth 35 parent from the discussion below, this feature of the 
interface circuit 16 only during those time periods when present invention could also be employed to grant or 
the process control computer 12 will not need to access deny external write access to any particular memory 
the dual-ported data memory 22. Indeed, the process location or set of memory locations in the dual-ported 
control computer 12 does not even have to know that data memory 22. 

externally generated read/write activity is actually oo 40 In order to rapidly pump data into or out from the 
curing with respect to its data store. Nevertheless, in stealth port, the front end communication system 10 of 
accordance with the present invention, an important FIG. 1 is also shown to include, an interface to stealth 
distinction is made between the ability to "read" from "IFST circuit 28, an interface to Q-bus **IFQ" circuit 30, 
the dual-ported data memory 22 and the ability to and a set of fiber optic cables 32 interposed therebe- 
'Nvxite" to the dual-ported data memory, as far as the 45 tween. The IFS circuit 28 is connected to the stealth 
stealth port is concerned. While it may be desirable to port of the dual-ported data memory 22, while the IFQ 
enable an external communication device to read each circuit 30 resides on the **Q bus** of the front end com- 
and every memory location in the dual-ported data puter 12. Due to the redundant nature of the front end 
memory 22, this may not be true with respect to the communication system 10, it should be appreciated that 
ability of an external device to write to memory loca- 50 the IFS circuit 28a is connected to the stealth port of 
tions in the dual-ported memory. In this regard, the dual-ported data memory 22a, while IFS circuit 2Sb is 
dual-ported data memory 22 will store not only dy- connected to the stealth port of dual-ported data mem- 
namic data associated with the physical process being ory 226> Similarly, the IFQ circuit 30a is connected to 
controlled, but it may also store other process control the Q bus of the front end computer 18a, while the IFQ 
variables, such as analog and digital constants. 55 circuit 30b is connected to the Q bus of the front end 

Accordingly, the dual-ported memory 22 includes computer 18& In the embodiment disclosed herein, the 
two "logical" memory sections, namely variable section front end computer 18 is preferably comprised of a 
24 and mailbox section 26. These memory sections are MICRO VAX 3400 computer using the realtime ELN 
logically distinct, because they are treated separately, operating system from the Digital Equipment Corpora- 
even though they may both reside in the same physical 60 tion "DEC. While the VAX family of computers from 
memory circuit chip or chip set In the present embodi- DEC offer considerable speed and networking advan- 
ment, the mailbox section 26 is comprised of a set of 256 tages, it should be appreciated that other suitable front 
memory word locations (16 bits each) in the dual-ported end computers may be employed in the appropriate 
data memory 22, and the variable section 24 is com- application. 

prised of the remaining memory locations in the dual- 65 In order to permit each of the front end computers 
ported data memory 22 (e.g., a block of 64 k memory X&a-18b to conduct bi-directional communications with 
word locations). The variable section 24 may also in- both of the stealth interface circuits 16o-166, the fiber 
elude a message area for holding system messages from optic cables 32 actually include two sets of send and 
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receive optical fibers (eg., 62.5/125/0.275NA type for their speed, low error rate and security advantages 
fibers). However, the separate send and receive optical over mediums such as coaxial cable, it should be under- 
fibers for each of the front end computers l%a-V&b are stood that that other suitable data transmission medium 
represented as single channels in FIG. 1 for simplicity. could be employed in the appropriate application. 
Thus, fiber optic channel 34a includes a separate optical 5 In the present embodiment, the transmitters and re- 
fiber for sending information from the front end com- cievers in the IFS and JFQ circuits are preferably com- 
puter 18c to the stealth interface circuit Ha and an prised of a high-performance Gallium Arsenide chipset, 
optical fiber for receiving information from the stealth such as the "Gazelle" GA901 1 transmitter and GA9012 
interface circuit 22a. Similarly, the fiber optic channel receiver from Triquint Semiconductor, Inc., 2300 
36a includes a separate optical fiber for sending infor- 10 Owens St, Santa Clara, Calif. These particular trans- 
matron from the front end computer 18a to the stealth mitters and receivers permit data transmission rates in 
interface circuit 22b and an optical fiber for receiving excess of 200 Mbits/second. These transmitters and 
information from the stealth interface circuit 22*. This receivers utilize a 40-bit wide parallel bus which enables 
arrangement of optical fibers is also duplicated for the data to be encoded into a 50-baud word using FDDI- 
front end computer 18& 15 standard 4 B/5 B encoding. In this encoding, 4-bit data 

In the present embodiment, the combination of the nibbles are translated into a 5-baud code symbol. Ac- 
IFS circuit 28, the BFQ circuit 30 and the fiber optic . cordingly, the 4 B/5 B encoding produces ten 5-baud 

cables 32 provide an optical transrmssion interface symbols from ten 4-bit data nibbles in order to comprise 

which permits the front end computers 1&7-186 to be a data frame. The GA901 1 transmitters also convert the 

remoted located from the process control computers 20 serial stream from a Non-Return to Zero "NRZ" for- 

12a-12A. For example, in this embodiment it is possible mat to a Non-Return to Zero, Invert on ones "NRZI" 

for the front end computers lSc-lM to be located up to format, which combines the trarisrnission of data and 

2 km from the process control computers Ua-12h Ad- clock signals into a single waveform. The NRZI wave- 

ditionally, it should be noted that the Fiber Distributed form denotes a logical one with a polarity transition and 

Data Interface "FDDI" protocol may be used to trans- 25 a logical zero with no transition within the bit-time- 

mit information between the BFQ and IFS circuits over frame. These logical ones and zeros are called bauds, 

the .? 3Cr .?F tiC 32 &nd each group of five bauds are called a symbol For 

The IFS circuit 28 includes the appropriate address example, a "0000" 4-bit binary input will be converted 

and data buffer circuits (not shown) for transferring to a "11110" 5-baud binary symbol output, while a 

information to and from the s te a lt h port of the dual- 30 "1011" 4-bit binary input will be converted to a "10111" 

ported data memory 21 The IFS circuit 28 also in- 5-baud binary symbol output 

eludes a transfer map 37 which enables data from se- The use of 4 B/5 B encoding and NRZI formating 
lected locations in the dual-ported data memory 22 to combine to substantially enhance the reliability of high- 
be gathered and transferred as one contiguous block of speed data transmissions over the fiber optic cables. The 
data. The transfer map 37 may be comprised of a static 35 GA90L2 receivers have built in clock and data recovery 
RAM with sufficient address storage capability to (eg., NRZI to NRZ conversion), and they also monitor 
gather data from all of the available memory locations the mcoming 5 B symbols for validity. In tins regard, 
in the dual-ported data memory 22. the 4 B/5 B encoding creates a number of invalid sym- 
Additronally, the IFS circuit 28 includes a separate bols which may be checked for at the GA9012 receiv- 
transmitter and receiver circuit for each of the two 40 ers. As the presence of noise or jitter across the fiber 
front end computers lSa-lBb, such as transmitter 38a optic link could cause one or more of the bauds to 
and receiver 40a. The transnntter 38a is adapted to change to an umntented value, the detection of invalid 
convert parallel data words (e.g., 16 bits) from the symbols reduces the possibility of a trarrsinission error 
stealth port into a serial bit stream suitable for transmit- going undetected. 

sion over one of the fiber optic cables 32. Similarly, the 45 As an additional layer of protection from potential 

receiver 40a is adapted to convert a serial bit stream errors, data transmissions from the IFS circuit 28 are 

from the front end computer 18 into a parallel data formed into complete data frames, which are comprised 

word for trarisrnission to the stealth port through one or of the data to be transferred (Lc, the 40-bit input data 

more of the IFS circuit biirTers. A corresponding set of frame), a I6^rt destination address field, a 4-bit control 

traismitters and receivers are also provided intheEFQ 50 code field and a 4-bit error detection code field. These 

circuit 30, such as transmitter 386 and receiver 406. complete data frames are preferably separated from 

From the above, it should be appreciated that the use of each other on the fiber optic link by at least one sync 

two sets of transrmtter-receiveT pairs enables data to be frame. As potential physical link errors may have a 

transferred anoVor received simultaneously between burst or clustering nature, the error code needs to be 

both of the IFS circuits 2»a-2*b and both of the IFQ 55 able to detect up to four contiguous bit errors, to this 

circuits 30a-30b. Thus, for example, the IFS circuit 28a reg ard, a longitudinal Redundancy Check "LRC" 

is capable of simultaneously trarjsrnitting data acquired code is employed to prevent masked errors from poten- 

from the process control computer Ma to both of the tially corrupting subsequent data processing operations, 

front end cornputers 18*-18& This type of error code is also referred to as a "Longitu- 

Whfle not shown for lflustration simplicity, it should 60 dmal Parity Check". In a LRC code, a 4-bit nibble 

appreciated that a laser or LED light source is inter- composed of parity bits is generated and inserted into 

posed between each of the transmitters (e.g, transmit- the encoded data stream for a predetennined number of 

ters 3Sa-3*b>) and their respective optical fibers. Simi- data nibbles in the encoded data stream, as shown be- 

lariy, a photo-detector is also interposed between each i ow: 
of the receivers (eg., receivers 400-404*) and their re- 65 

spective optical fibers. For example, these light con- 

verters may be comprised of a pair of AT&T ODL200 M b3 b2 bi 

series converters. While fiber optic cables are preferred data nibble I | x x x x | 
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-continued impeded by one of the external entities connected to the 
stealth interface circuit 16. It should also be appreciated 



m 63 W bl that message transmissions should not take place during 



? ton ^ c ? j * * x * j any time in which a data burst should be received from 

datanibWc3 1 x x * x 1 5 the IFS circuit 28. 

As another measure of data transmission protection, 

• _ . g the IFQ circuit 30 win cause the IFS circuit 28 to read 

data nibble 9 z x x x back a message transmitted to and stored in the mailbox 

data nibble 10 | p4 p3 p2 pi | section 26 of the dual-ported data memory 22 in order 

1° to be sure that the message was transmitted and stored 

where pi=bil X or bi2 X or . . . X or bi9, and i=bit correctly. Once the IFQ circuit 30 determines that the 

location 1 to 4. Thus, the ith bit of this parity check message has been accurately received and stored, then 

character checks the hh information bit position in data the IFQ circuit will cause a flag to be set which will 

nibbles 1 through 9 under even parity conditions. The ^goal the process control computer 12 to pick up the 

combination of the LRC error checking, the 4 B/5 B MW message. In the event that this data verification 

encoding and the NZRI conversion enable the front end faik > theR message transmission process will 

. communication system 10 to provide a targeted Baud be repeated. . . 

Error Rate "BER" of 1&12. While a Cyclic Redun- The IFQ circuit 30 also includes a process data buffer 
dancy Check "CRC" code could be employed in lieu of 44, which is shown as block in FIG. 1 for illustration 
the LRC code, the more complicated CRC code would simplicity. However, the process data buffer 44 should 
also increase the complexity of the IFQ and IFS cir- include sufficient memory capacity to store a separate 
cuhs. Additionally, the LRC coding more readily per- data table for each of the process control computers 
mits dual fiber optic channel signal transmissions be* Ma-Mb (eg., 262,144 bytes). Each of these data tables 
tween the IFS and IFQ circuits, and the intrinsic sy- will include both the SPSS and DSS data transmissions, 
chronization features of the the Gazelle transmitters Additionally, a DMA buffer (not shown) may also be 
SSaSSb and receivers 40a-4O£ may be used to frame provided to allow some elasticity in processing the data 
the LRC based protocols. being received. In this regard, it should be noted that 
The IFQ circuit 30 includes a microprocessor 42 the both the IFS circuit 28 and the IFQ circuit 30 are 
(eg., an Intel 80186 chip) which provides the data pump configured to facilitate bi-directional Direct Memory 
for the front end computer 18. The microprocessor 42 is M Access "DMA" transfers between the IFQ circuit 30 
not only responsible for all IFQ/IFS protocol control and the Q-bus of the front end computer 18. In this way, 
and relaying data from the process control computers the central processing unit 45 of the front end computer 
X2a-12b to a destination on the network 20, but it is also m does not need to devote substantial time to process- 
respons&lejor controlling the ^ integrity of write aenvi- ing data transfers to and from the IFQ circuit 30. Ac- 
ties to the IFS and IFQ circuits. For example, the mi- COT ^ n gfy i the DMA buffer is preferably used as a 
coprocessor 42 may be used to program the transfer bucket brigade area to perform DMA transfers on 
map 37 in the IFS ^enrcurt 28, so that only a particular blocks of data from the process data buffer 44 (e.g., 8 K 

bytes at a time) to a suitable memory residing on the 

be gathered and trar^Mtted to the front end computer of ^ ^ md ig. 

f ^ ^ ^!T^t?^i5!f\T5" ^eusetfDMAtWe^ 

/outp * ***** *^J^ JP^lf dciB £ ^ the front end communication system 10 to achieve the 

way, the actual contents of the transfer map 37 may be - of makmg ava ikble real-time data from the process 

^Z^^ VS^S^SR control oompa^U^Ub toone or -re computers 

and the IFS circuit are under the control of IFQ circuit 45 on the network^ More specifica%, the front end 

rmcroprocessor 42. In this regard, there are three types ^nmumaOton system 10 is designed to request, re- 

of data transnnssions from the IFQ circuit 30 to the IFS ^J™?* ^ ^ ^ 

drcurt 28, namely "load transfer map", "send cornmand post-arbitrated data from each of the process control 

messages" and "receive data". The load transfer map computers VZa-Ub within a one^econd time resolution, 

transmission will enable the IFQ circuit 30 to load the 50 For example, m this particular embc)diment, each of the 

transfer map 37 of the BPS circuit 28 with the specific process control computers 12a-Ub will issue a Se- 

variable addresses which will steer the data memory quence ***** Stable Strobe "SDDS" signal in every 

transmit bursts from the IFS drcurt The receive data one-second program cycle, which indicates that ap- 

transmission will cause the IFS circuit 28 to return the proximately 1024 (16 bit) words of pre-link dynamic 

requested segment of memory from the dual-ported 55 analog/digital input data is stable and available in the 

data memory 22. dual-ported data memory 22. This specific data set is 

A command message transmission will start with a referred to as pre-link data, as this data has not yet been 

Write-Lock request to the IFS circuit 28. Assuming that arbitrated between the process control computers 

incoming buffer is tree, the IFS circuit 28 will assert a 12a— 12b via data transmissions across the major link 14. 

Write-Lock on the mailbox section 26 of the dual- 60 Subsequently, in the same one-second program cycle, 

ported data memory 22, and return a positive acknowl- each of the process control computers X2a—12b will 

edgement to the IFQ circuit 30. The EFQ circuit 30 may issue a Data Stable Strobe "DDS" signal, which indi- 

then transmit its message with the assurance that no cates that a complete set of post-arbitrated input and 

other device will be able to write to the mailbox section output data is stable and available in the dual-ported 

26 until its message has been completely stored and 65 data memory 22. This data set is referred to as post-arbi- 

preferably read by the process control computer 12. trated, as the input values will have been arbitrated or 

However, a time limit may be imposed on the Write resolved by this point in the program cycle. In the pres- 

Lock to ensure that the flow of communications is not ent embodiment, this post-arbitrated data set may be 
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comprised of up to 65,536 (16-bit) words, as it will in- post-arbitrated data for the next process control cycle is 
elude both input and output values (and any other van- received from the Left process control computer 12a, 
ables stored in the dual-ported data memory 22). the IFQ circuit will increment to the ONE buffer 50a in 

It should also be noted at this point that one of the order to store this data Similarly, the IFQ circuit 30 
first functions in the program cycle of the process con- 5 will turn to the TWO buffer 54a when pre-link and 
trol computers 12a-12b is to make output value deci- post-arbitrated data for the third process control cycle 
sions from the post-arbitrated input data obtained in the is received from the Left process control computer 12a 
immediately preceding program cycle Accordingly, it in order to store this data. Then, when pre-link and 
should be appreciated that the post-arbitrated data set post-arbitrated data for the forth in tune process control 
will include the arbitrated input values from the current 10 cycle from the Left process control computer 12a is to 
program cycle and the output values from the immedi- be stored, the IFQ circuit 30 will return to address the 
ately previous program cycle. ZERO buffer 46a for data storage. Of course, it should 

It is also important to understand that the function of be appreciated that the IFQ circuit 30 will employ the 
obtaining a copy of the pre-link and post-arbitrated data same round robin sequence for individually transfering 
sets cannot be permitted to delay the operations of the IS pre-link and post-arbitrated data to the three reflective 
process control computers I2a-llb. Thus, for example, buffers 48a, 52a and 56a that are used for the Right 

me front end communication system 10 must be suffi- m process, control computer 12b. . ... 

ciently fast tbchtain a copy of the pre-link data sets For purposes of illustration, FIG. 1 shows three re- 
before the process control computers 12a~12b need to flective memory buffers {46a, 50a and 54a) for the Left 
have the ability to change one or more of these data 20 process control computer 12a, and three reflective 
values through the arbitration process. Accordingly, in memory buffers (48a, 52a and 56a) for the Right process 
the context of the present embodiment, the front end control computer 12b. However, as the SDSS and DSS 
communication system 10 needs to be able to acquire a data transfers are treated as independent DMA events, 
pre-link data set within ten milliseconds of the time that the reflective memory buffers preferably include dis- 
the SDSS signal was initially asserted in order to have 25 tinct reflective memory buffers for each of these events, 
the assurance of data stability. Similarly, the front end Accordingly, a total of twelve reflective memory buff- 
communication system 10 needs to be able to acquire a ers are preferably provided in the front end computer 
post-arbitrated data set within fifty milliseconds of the 18. Additionally, each of these reflective memory buff- 
time that the DSS signal was initially asserted. In this ers are individually tracked, so that the ordering of 
regard, it should be appreciated that each of these data 30 these buffers do not necessarily have to follow the regi- 
scts need to be independently acquired from both of the men shown below: 

process control computers 12a-12£ by each of the front Second N: (ZERO-SDSS-L ZERO-DSS-L ZERO- 
end computers 18a-18 b. Additionally, each of the front SDDS-R ZERODSS-R) 

end computers 18a-l&> must also be able to send mes- Second N+l; (ONE-SDSS-L ONE-DSS-L ONE- 
sages to the one or both of the process control comput- 35 SDDS-R ONE-DSS-R) 

ers \2a-Ub during time periods outside of the SDSS Second N-j-2: (TWO-SDSS-L TWODSS-L TWO- 
and DSS data acquisition windows. SDDS-R TWO-DSS-R) 

In order to further facilitate the ability of the front Rather, the ordering of these buffers could also proceed 
end communication system to acquire the SDSS and under other regimens, such as shown below: 
DSS data sets without any data transfer blocknecks, and 40 Second N: (ONE-SDSS-L TWO-DSS-L ZERO- 
also provide the ability to group and time align the data SDDS-R ONE-DSS-R) 

sets being received, each of the front end computers Second N+l: (TWO-SDSS-L ZERO-DSS-L ONE- 
18a-186 includes a set of at least three reflective buffers SDDS-R TWO-DSS-R) 

for each of the process control computers 12a-12& Second N-f 2: (ZERO-SDSS-L ONE-DSS-L TWO- 
Each of these logically distinct reflective buffers or 45 SDDS-R ZERO-DSS-R) 

shadow memories may reside in the same physical mem- It is important to understand that the corresponding 
cry chip or chip set in the front end computer 18. As left and right reflective buffers (eg., buffers 46a and 
shown in FIG. 1, the set of reflective buffers contained 48a) will generally not hfyom* filled at the same time, 
in the f ront end computer 18a is generally comprised of as the program time line of the process control com- 
a ZERO buffer "ZL" 46a for the Left process control 50 puter in the dog mode should follow the program time 
computer 12a, a ZERO buffer "ZR" 48a for the Right line of the process control computer in the fox mode by 
process control computer 12*, a ONE buffer "OL" for a piedeterminable period of time (eg., 20-microseconds 
the Left process control computer, a ONE buffer "OR" to 20-milliseconds). However, these time lines may 
for the Right process control computer, a TWO buffer become considerably separated in the event that com- 
"TL" for the Left process control computer, and a 55 munications across the major link 14- are not possible, as 
TWO buffer *TR W for the Right process control com- mentioned above Even when the left and right SDSS 
puter. Additionally, it should be understood that a cor- or DSS signals are asserted at near the ^tup time, the 
responding set of reflective buffers are contained in the delays required to transfer this information to the IFQ 
front end computer such as the ZERO buffer "ZL" circuit 30 and then transfer this information into the 
46b f or the Left process control computer 12a and the 60 appropriate reflective memories may result in a wider 
ZERO buffer "ZR" 49b for the Right process control time skew between these events as seen by the applica- 
computer 12b. tion software of the front end computer IS than as seen 

The IFQ circuit 30 writes to these left and right buff- by the process control computer and IFS circuit hard- 
ers in a "round robin" fashion using DMA data trans- ware Nevertheless, it is the responsibility of the front 
fers. In other words, the IFQ circuit 30 will fill the 65 end computer 18 to ensure that the data sets ultimately 
ZERO buffer 46a with pre-link and post-arbitrated data made available to the computer network 20 represent 
of a particular process control cycle from the Left pro- data from the process control computers 12a-12b in the 
cess control computer 12a Then, when pre-link and same program cycle (eg., a one second period). In this 
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regard, the application software of the front end com- appreciated that the front end computer 18 could be 

puter 18 includes a procedure, referred to as "MI configured with additional sets of buffers to allow the 

Sync", which groups individual data transfer events development of an application that may take longer to 

into a cohesive set of buffers that represent a "snapshot** run to completion. 

of the pre-link and post-arbitrated data for a particular 5 It should also be appreciated from the above that the 

process control cycle. use of the front end computers 18&-186 also enables the 

The MI Sync procedure uses a set of reflective mem- communication system 10 to have the necessary intelli- 
ory buffer management structures (MI RMBMS) to gence to answer specific data requests. The use of the 
track the status of incoming data transfers. When the front end computers ISa-lSb also permit a rapid check 
IFQ circuit driver software signals to the MI Sync 10 to be made that the process control computers I2a-12b 
procedure that a DMA. transfer has completed, MI are in fact continuing to send realtime data. Addition- 
Sync records the required information in the appropri- ally, die front end computers I&2-I80 are also pref era- 
ate MI— RMBMS data structure. When MI Sync deter- bly programmed to make determinations as to whether 
mines that a complete set of buffers has been received read or write requests from th e process control comput- 
and stored (Le., left SDSS, right SDSS, left DSS and 15 ers Xla~Ub should be granted with respect to the entity 
fight DSS), it updates a global data structure (MLR- on the computer network 20 which has forwarded the 
M—DATA) with the pointers to the newly received request As will be discussed more fully below the front 
data. These painters are copied from the MT RMBMS end computers contain 'both a' security table 
data structure. Accordingly, MT-RM DATA in- and two permissive tables in their memories for facilitat- 
chides the pointers to the currently available "com- 20 ing these determinations. The security table is used 
piete" or time aligned set of reflective memory buffers. determine whether communications will be permitted 
Depending upon where the front end computer 12 is in at all with various entities on the computer network 20, 
the round robin procedure, the most current time while the permissive tables are used to evaluate write 
aligned set of reflective memory buffers may be TWO command messages from an entity on the computer 
buffers 54a and 56a at one time interval, the ONE buff- 25 network which could affect specific locations in the 
ers 50a and 52a at the next time interval, and the ZERO dual-ported data memories 22o-22& 
buffers 46a and 48a at the following time interval. In the . The front end computers ISa-l&b may also utilize at 
event that the SDSS or DSS data from one of the pro- least one set of additional reflective buffers, such as 
cess control computers 12o-126 is not received by the Correlate buffers 58a and 60a. In light of the fact that 
IFQ circuit 30, MI Sync will still maintain time align- 30 the DSS data set will contain the post-arbitrated input 
ment by using an appropriate timeout (eg., 700 nrillisec- value data from the current program cycle and the 
onds) for updating the MT RM DATA pointers. An output value data that was based upon the post-arbi- 
indication will also be provided as to which buffer or trated input values of the immediately preceding pro- 
buffers are unavailable gram cycle, it may be desirable to correlate into one 

The buffer pointers within MI RM- DATA are 35 data table the output values for a particular program 
protected by a mutual exclusion semaphore or "mutex". cycle with the input values used to decide these output 
MI SYNC requests this muter before copying the new values. Accordingly, the front end computer 18a may 
pointers to MI_RJM_ DATA and releases h immedi- employ the Correlate buffers 58a and 60a to store a 
ately after the copy is complete. When a network entity copy of the post-arbitrated input values from the cur- 
needs to access reflective memory data, a copy of the 40 rent DSS data set, and then wait for the alignment of the 
Ml K M DATA pointers is made by requesting the next DSS data set in order to store a copy of the output 
mutex, copying these buffer pointers to a local data values from this subsequent data set in the same Carre- 
structure, and then releasing the mutex. Since the appli- late buffers. In this regard, it should be appreciated that 
cation for querying or reading the data uses a copy of this copying procedure will be made from the most 
the pointer, contention for the mutex is f ™™ T ™ ?p ** J and 45 current time aligned set of reflective memory buffers. 
MI Sync will be able to update MT RM DATA with Thus, for example, FIG. 2A shows a diagrammatic 
new pointers as soon as the next complete set of data has example of a data table in a time aligned buffer, while 
been stored. In this regard, it is important to note that FIG. 2B shows a similar example of a data table in the 
this method will enable the reading application to still Correlate buffer CX. In any event, it should be under- 
access the same set of reflective memory buffers while SO stood that the rime alignment capabilities of the front 
MI Sync updates MI- RM DATA with new pointers. end computers ISa-lSb provide a powerful diagnostic 
Since reading applications will access the most current tool for analyzing both the operation of the process 
time aligned set of reflective memory buffers, it should control computers Ma-Mb and the physical process 
be understood that a reading application could be ac- being controlled. For example, the arbitration per- 
cessing one set of reflective memory buffers (eg., the 55 formed with respect to the input data values may be 
TWO buffers 54a and S6d) t while a subsequent reading analyzed for both of the process control computers 
application could be given access to another set of re- 12o-126, as pre-link and post-arbitrated input data val- 
flective memory buffers (eg., the ONE buffers 50a and ues are time aligned and made available by the front end 
52a) once MI Sync updates MI RM DATA with new computers 1&Z-18& 

pointers. 60 The computer network 20 is shown in FIG. 1 to 

It should also be understood that applications which generally include a direct control segment, a process 

access the reflective memories will be able to run to information segment and a connection to a Wide Area 

completion before the referenced buffers are overwrit- Network "WAN". Each of these network segments 

ten with new incoming data In one embodiment of the preferably employ Ethernet compliant mediums and 

front end communication system 10, applications re- 65 IEEE 802.3 compatible communication protocols.. The 

quiring reflective memory data are assigned execution direct control segment is comprised of dual Plant Area 

priorities high enough to allow them to run to comple- Networks "PAN-I" and "PAN-2", while the process 

tkm in less than one second. However, it should be information segment is comprised of Plant Area Net- 
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work "PAN-3". At least one bridge 62 is used to inter- 
connect the PAN-1 and PAN-2 segments. Additionally, 
at least one bridge 64 is used to interconnect the PAN-2 
segment with the PAN-3 segment Another bridge may 
be used to interconnect the PAN1 segment with the 5 
PAN-3 segment One or more bridges 66 may also be 
used to interconnect the PAN-3 segment with the 
WAN. 

It should be noted that the front end computer 18a is 
coupled to the PAN-1 segment, while front end com- 10 
puter 186 is coupled to the PAN-2 segment. While a 
single plant area network could be provided, the use of 
dual plant area networks shown herein have certain 
communication and redundancy advantages over a sin- 
gle plant area network. In this regard, the bridges will 15 
typically filter communications by Ethernet hardware 
addresses to reduce the amount of traffic on each of the 
network segments. For example, a communication be- 
tween the security server 68 and the operator station 70 
will not be transmitted across the bridge 62 to the 20 
PAN-1 segment The bridges 62-66 also provide a layer 
of physical separation between the network segments, 
so that if a fault occurs on one of the network segments, 
then the fault will be prevented from adversely affect- 
ing the other network segments. Additionally, one or 25 
more of the bridges are also used to filter communica- 
tions on the basis of specific data communication proto- 
col identifications to enhance the overall security of the 
network 20. For example, the bridge 64 may be used to 
prevent the transmission of messages employing the 30 
Eth er net compliant protocol used by the security server 
68 from one of the PAN-2 and PAN-3 segments to the 
other. Similarly, the bridge 64 may be used to prevent 
the transmission of messages employing the Ethernet 
compliant protocol used to write information into the 35 
mailbox section 26 of the dual-ported data memory. 

The computer network 20 also includes a plurality of 
operator workstations, such as operator workstations 70 
and 72. As shown in FIG. 1, these operator worksta- 
tions may be located on different network segments, 40 
and the number of operator workstations will be depen- 
dent upon the particular process control application. 
One or more of these operator workstations may be 
used to view or analyze data received from the front 
end computers 18a-186. Additionally, these operator 45 
workstations may be used by an authorized control 
room operator to transmit the appropriate instructions 
to the front end computers 1&Z-186 which will cause a 
command message to be conveyed to the process con- 
trol computers 12a-12b. SO 

The network 20 further includes a process informa- 
tion computer 74 which may perform a variety of func- 
tions. For example, the process information computer 
may be used to store a history of process data received 
from the front end computers 12a-12& Additionally, 55 
the process information computer 74 may be used to 
store the compilers needed to change the computer 
programs residing in the front end computers 1&Z-186, 
as well as the programs residing in the process control 
computers 12a-12b. The process information computer 60 
74 may also include loading assistant software for trans- 
fering operating program revisions to the process con- 
trol computers Ua-12b. The network also includes a 
control room data manager computer 76, which may be 
used to perform various file serving and tracking fine- 65 
tions among the computers connected to the network. 

An expert download assistant 78 is also provided to 
facilitate program revisions in the front end computers 
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18<i-18Z>. In contrast, the loading assistant software in 
the process information computer 74 may be used to 
cause a new computer program to be downloaded to 
one of the process control computers Ma-Mb through 
at least one of the front end computers 18o-186 and the 
mailbox section 26 of the dual-ported data memory 22. 
While the download assistent 78 may be resident in its 
own network computer, the download assistent could 
also reside in a suitable network computer, such as the 
process information system computer 74. 

The loading assistent may also be used to cause the 
process control computer with the revised program to 
start operating in a mode which will enable real-time 
testing of the revised program. In this mode of opera- 
tion, the process control computer will recieve input 
data and make output decisions, but these output deci- 
sions will not be transmitted to the field instrumentation 
devices. This will permit the plant engineer to evaluate 
the revisions, and even make further revisions if neces- 
sary before instructing the process control computer to 
assume an active mode of operation, such as the fox or 
dog modes. 

Whenever it is decided that the mannffr in which the 
process control computers 12a-12b perform their par- 
ticular manufacturing control operations should be 
changed through a program revision, the revised pro- 
gram for the process control computers 120-126 must 
be compiled from the the source programming lan- 
guage to an executable file or set of dynamically linked 
files. La the preferred embodiment, a unique identifier is 
embedded into the executable code during the compile 
procedure. This identifier represents (or is otherwise 
associated with) the version of the revised software for 
the process control computers V2a-\2b. The program 
version identifier is used to ensure proper alignment 
between the version of the program being executed by 
the process control computers VLa-Mb and the riles/ta- 
bles in the front end computers ISa-lSb used to evalu- 
ate write command messages to these process control 
computers. 

As mentioned above, each of the front end computers 
ISa-lSb include two permissive tables, such as the 
"PL" permissive table 80a for the Left process control 
computer 12c, and the *TR" permissive table 82c for 
the Right process control computer 12 b. These permis- 
sive tables are used by the front end computers 18a-18n 
to determine whether any entity on the computer net- 
work 20 should be permitted to change the contents of 
specific locations in the dual-ported data memories 
22a-22b. However, it should be appreciated that the 
data structure of the permissive table could be con- 
structed to protect the contents of any memory location 
or area in the process control computers YLa-VLb which 
could altered from a write command message 

When a message is received by a front end computer 
18 from an entity on the network which uses the write 
command protocol, such as a write command message 
from one of the operator workstations 70-72, a "data- 
write— check" sub-routine will be called by the central 
process unit of front end computer. The data-write—, 
check routine will perform a comparison between the 
variable elements identified in the write command mes- 
sage and the variable elements in the permissive table 
for which changes should be authorized or denied. For 
example, if the front end computer 18a receives a write 
command message which seeks to increase/decrease an 
analog gain "AG" factor used by the program being 
executed by the Left process control computer 12a, the 



12/23/2003, EAST Version: 1.4.1 



5,428,745 

19 20 

front end computer 18a will look op the element word (and the corresponding permissive table 80c loaded in 
for this particular AG factor in permissive table 80a and front end computer 18a), the use of separate permissive 
determine if a bit has been set to deny the authorization tables will enable the front end computer 18a to evalu- 
needed to change this factor. If authorization is denied, ate a write command message intended for the process 
then the front end computer 18a will not transmit the S control computers 12a which is distinct from a write 
write command message to the process control com* command message intended for the process control 
puter 12a T"*^***, the front end computer 18a will computer 12b. While it may not be advisable in some 
preferably send a reply message to the host entity on the circumstances to run the process control computers 
computer network 20 that originally sent the write 12a-12b with different program versions in an active 
command message, to inform the host entity that a write 10 control mode, a passive operating mode may be used for 
error has occured. the process control computer with the revised program 

From the above, it should be appreciated that the PL while the other process control computer is in an active 
and PR permissive tables stored in the front end com- control mode. In such an event, the plant engineer may 
puters 18a-18A need to be closely coordinated with the use the download assistant 78 during final program 
version of the program being executed by each of the 15 testing to issue write command messages for the passive 
process control computers \2a-\lb. In order to ensure process control computer, while another plant engineer 
that each of these permissive tables are sufficiently issues write command messages to the active process 
matched' with the programs being executed by their ' control computer 'mrough the same front end computer 
respective process control computers 12o-126, the pro- 18. 

gram version identifier discussed above is also embed- 20 The security server 68 is used to inform each of the 
ded into these permissive tables when they are com- computers residing on the network 20 who they may 
piled. This program version identifier may then be sent communicate with on the network. In this regard, the 
to the process control computer 12 along with a verified security server stores a specific security table for each 
write command message, so that the process control of the valid entities on the network. Each of these secu- 
computer 12 will be able to confirm that the com- 25 rity tables will identify which of the network computer 
manded variable change is appropriate to its program entities a particular network computer may conduct 
version. bi-directional communications. For example, in the case 

To enhance the security of this verification process, of the front end computers 18a-186, one of the first 
the program version identifier from the permissive table functions on start up will be to obtain their respective 
is preferably altered by a suitable encryption algorithm 30 security tables from the security server 68. Accord- 
before it is transmitted with the write command mes- ingly , the security server 68 is shown in FIG. 1 to store 
sage to the mailbox section 26 of the stealth interface a security table "SI" for the front end computer 18a, 
circuit 16 for the intended process control computer 12. and a security table **S2" for the front end computer 
The process control computer 12 receiving the write 18& While the security server could also be used 
command message win then decode this version identi- 35 the PL and PR permissive tables discussed above to the 
tier, and compare it with the program version identifier front end computers 18, h is preferred that newly corn- 
embedded in its p rogr am to determine if their is a piled permissive tables be received from the download 
match. If the program version identifiers match, then assistant 78. In this regard, it should be noted that the 
the process control computer 12 will perform the com- download assistant is also preferably used to send the 
manded variable change. Otherwise, the process con- 40 transfer map 37 intended for the EFS circuit 28 to the 
trol computer 12 will respond by discarding the write front end computer 18 along with the appropriate per- 
command message and transmitting an appropriate missive table. 

error message to the front end computer 18. In order to assure the integrity of security table trans- 

Tbe PL and PR permissive tables are also preferably fers from the security server 68 to the front end comput- 
provided with a data structure which permits write 45 ers 18o-186, a method of validating these transfers is 
command authorization determinations to be made for utilized in the present embodiment. In accordance with 
specific host entities on the computer network 20. In this method, the front end computer 18 will embed a 
other words, the permissive table 80a may permit par* random ox pseudo-random number in a broadcast net- 
ticular variable changes to be made from operator work message to request that the security server 68 
workstation 70 that are not allowed to be made from 50 identify itself as a prelude to sending the appropriate 
operator workstation 72. Thus, the permissive tables security table. The security server will respond to this 
may have several station specific table sections, as well request with an acknowledgement message that utilizes 
as a default table section. Nevertheless, the ability may a security protocol identifier which is different than that 
also be provided to bypass a check of the appropriate used with other types of network messages. Impor- 
perrmssive table, through the use of a suitable password 53 tantly, this acknowledgement message will include the 
at a host entity on the computer network 20. However, random number from the front end computer 18 in a 
in this event, a log should be created and stored in the transformed state. In this regard, a suitable encryption 
front end computer 18 which will identify this transac- algorithm may be used to alter the random number, and 
tion and the identity of the host entity (eg., a CPU the random number should have a bit length which will 
identifier). 60 make it difficult for any unauthorized entity to decode 

It should be noted that the use of separate permissive (e.g., 32 bits). Upon receipt of the acknowledgement 
tables for the process control computers 12a-126 has message, the front end computer 18 win then either 
the advantage of enabling a program downloading op- reverse the encryption process to obtain the random 
eration to be performed on one of the process control number or encrypt its original random number to make 
computers while the other process control computer 65 a comparison between the transmitted and received 
continues to actively control a manufacturing process. random numbers. Assuming that these random numbers 
Indeed, even after a revised program has been success- match, then the front end computer 18 will determine 
fully transferred to the process control computer 12a that the acknowledgement message has been received 
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from a valid security server, and the transfer process which will provide this continuity. For example, with a 
will proceed. communication contract of twenty seconds, it is pre- 

In order to further enhance the security of communi- f erred that the contract offers be transmitted at a rate of 
cations between the front end computers 1&2-186 and approximately every ten seconds. In other words, every 
other entities on the computer network 20, an additional 5 ten seconds, each of the host entities that are capable of 
validation procedure is preferably implemented More transmitting recognizable write command messages will 
specifically, this additional validation procedure is uti- receive a new random number from each of the front 
lized to permit communication between the front end end computers 18. 

computers 18a-18fc and any network entity for which a In the event that a host entity fails to respond to a 
write command message may be recognized. In accor- 10 contract offer message from a front end computer 18, 
dance with this validation method, the front end com- the front end computer will preferably make three tries 
puter 18 will send a contract offer message on a periodic to establish or maintain a time limited communication 
basis to the Ethernet address of each host entities on the contract If no response is received from these three 
network 20 which it recognizes as having a write mes- tries, then the the front end computer 18 will disable the 
sage capability. Each of these contract offer messages 15 write command authorization bit for the Ethernet ad- 
will include a random or pseudo-random number or dress of this host entity from its security table. In such 
other suitably unpredicable message component In . an event, the affected host entity will not be able to 
order for a host entity to able to have its write command have its write command messages processed by the 
messages recognized, it must respond to its contract front end computer 18 until the security server 68 trans- 
offer message within a predetermined period of time 20 mits a new security table to the front end computer 18. 
(e.g., 10 seconds) with a contract acceptance message It should be appreciated from the above that only the 
that includes a transformed version of this unpredicable random numbers need to be encrypted to facilitate a 
message component. While any appropriate encryption transfer of the security table or to establish the time 
algorithm be used for this purpose, it is preferred that limited communication contract for write command 
this encryption algorithm be different than the encryp- 25 messages. However, it should be understood that the 
tion algorithm used to validate the transfer of a security security table itself or the write command messages 
table from the security server 68. Additionally, it should could be encrypted as well in the appropriate applica- 
be noted that the security message protocol may be used tion. Nevertheless, the use of different Ethernet proto- 
for these contract offer and acceptable messages. cols for security messages and write command mes- 

The front end computer 18 will then decrypt the 30 sages, the use of different encryption algorithms for 
random number embedded in the contract acceptance security table transfers and write command communi- 
message to determine if a time limited communication cation contracts, the limitation of the time of the write 
contract will be established between the front end com- command communication contracts to short durations, 
puter and this host entity at the specific Ethernet ad- and the use of specific permissive tables for each of the 
dress for the host entity that was contained in the secu- 35 front end computers 18, all combine to provide a very 
riry table. This time limited communication contract high degree of communication and write command 
will ensure that a write command message link between security for the process control computers 12a-12& 
a front end computer 18 and a particular host entity will Additional protection is also substantially provided by 
be reliable and specific. Thus, for example, the front end the guardian circuit in the stealth interface circuit 16, 
computer 18a will send a contract offer message to the 40 the embedding of a program version identifier in the PL 
Ethernet address of the operator workstation 72 which and PR permissive tables, and the encryption of the 
will contain a new random number (eg., 32 bits in these program version identifiers by the front end corn- 
length). The operator workstation 72 will respond with puters 18a-18fc when a verified write command message 
a contract acceptance message that includes an en- is transmitted to the process control computer \2a-Mb. 
crypted version of this particular random number. 45 In this regard, it should be noted that the encryption 
Then, the front end computer 18a will either decrypt algorithm used by the front end computers I80-I86 for 
this number with the contract algorithm key stored in the program version identifiers is preferably different 
its memory for this purpose or use the same encryption than the encryption algorithm used for security table 
algorithm to compare the offer and acceptance num- transfers or the encryption algorithm used to establish 
bers. If these numbers match, then the front end com- 50 the time limited communication contracts for write 
puter 18a will be process write command messages command messages. 

from the operator workstation 72 for a predetermined Turning to FIG. 3, a block diagram of the stealth 
period of time. Otherwise, if the numbers do not match, interface circuit 16 is shown. Reference will also be 
then the front end computer 18a will disable a write made to the schematic diagram of the stealth interface 
command authorization bit for the Ethernet address of 55 circuit 16, which is shown in FIGS. 4A-4B. The stealth 
the operator workstation 72 from its security table SI to interface circuit 16 is interposed between the internal 
indicate that write command messages from this opera- bus structure 100 of the process control computer 12 
tor workstation should be ignored. and the externally directed stealth port 102. The stealth 

The communication contract established for write interface circuit 16 is connected to bus structure 100 via 
command messages is time limited to enhance the trans- 60 a set of suitable buffers. In this regard, buffer block 104 
mission security of these particular messages. In the includes two 8-bit buffer circuits U17-U18, which re* 
preferred embodiment, the communication contract ceive address information from the address bus on the 
will automatically expire within twenty seconds after process control computer 12. Similarly, buffer block 
being initiated. Nevertheless, in order to ensure that the 106 includes two Writ buffer circuits TJ6-U7, which 
ability to send write command messages is not inter- 65 receive data information from the data bus of the pro- 
mpted, the contract offer messages should be sent from cess control computer 12. 

the front end computer 18 to each of the appropriate The stealth interface circuit 16 also includes a data 
host entities on the network 20 on a periodic basis control block 108, which is also connected to the bus 
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structure 100 of the process control computer 12. As its use. The arbitration circuit 114 also has an internal 

indicated in FIG. 4 A, the data control block 108 is AND gate which wOl produce the any-bus-request 

preferably comprised of a Programmable Array Logic signal "/ANY_BR" shown in the timing diagram of 

"PAL" circuit U15 (eg., EP512), which is used to de- FIG. 5A. 

tect the SDSS and DSS signals from the process control s The stealth interface circuit 16 further includes a 
computer 12. As well known in the art, a PAL circuit stealth port control circuit 116, which is used to control 
has fusable links which may be programmed so that a access to the dual-ported data memory 22. The control 
plurality of internal AND gates and OR gates will be circuit 116 is shown in FIGS. 4A-4B to comprise a 
configured to performed a desired logic function. While PAL circuit U16, a timer circuit U10 and a set of tri- 
a PAL circuit provides a relatively low cost way of 10 state buffers which are contained in chip US. In the case 
implementing logic functions, it should be understood of memory access for the internal process control corn- 
that other suitable circuit devices may be used for this puter bus 100, the PAL circuit U16 will transmit the 
application. It should also be noted that the PAL circuit chip select signal "/CS" to the buffers 104 and 106 to 
is programmed to detect two extra strobe signals that latch or capture address and data information from the 
may be generated by the process control computer 12, IS internal bus. The PAL circuit U16 will also send the 
namely the "EXSP* and "EXS2" signals. One or both of enable memory read signal *VB F.MR" to die buffer 
these extra strobe signals may be used by the process 106 when the process control computer 12 needs to 
control computer 12 to indicate that certain data stored latch or capture data from the data bus 118 of die stealth 
in the dual-ported data memory 22 is stable, such as data interface circuit 16. In this regard, the PAL circuit U16 
used to display graphical information. 20 is responsive to both the MEMCLK signal and the 
The stealth interface circuit 16 also receives four central process unit clock signal "CP" of the process 
control signals from the process control computer 12 control computer 12. 

which are used to access the dual-ported data memory In the case of memory access from the external 

21 These signals are *VEN_DATAMEM", VEMR", stealth port 102, the PAL circuit U16 will transmit the 

"R/W" and "MEMCLK. The first three of these sig- 25 enable signal "/SP-EN" to the buffers 110 and 112 to 

nals relate to whether the process control computer 12 latch or capture address and data information from the 

seeks to read or write to the dual-ported data memory external bus. The PAL circuit U16 will also send the 

22. However, MEMCLK is the memory clock signal enable memory read signal "SW/R" to the buffer 112 

referred to above winch effectively divides the time in when an external entity is permitted to latch or capture 

the machine cycle of the process control 12 available 30 data from the data bus 118 of the stealth interface circurt 

for accessing the dual-ported data memory 22. The 16. The SW/R signal is received at the stealth port bus 

MEMCLK signal is a fifty percent duty clock signal, as 102, and it provides an indication from the external 

shown in the timing diagram of FIG. 5A~ In accordance entity the direction of dataflow desired. In this particu- 

with the method illustrated in tins timing diagram, the lar embodiment, the SR/W signal is active High for a 

dual-ported data memory 22 may be accessed from the 35 read cycle and active Low for a write cycle. The SR/W 

internal process control computer port 100 when signal is common to all four potential external users, and 

MEMCLK is Low. Then, when MEMCLK undergoes it should be held in a triostate until the external user 

a transition to a High state, the dual-ported data mem- winning the bus receives its active Low/BR signal 

ory 22 may be accessed from the external stealth port The PAL U16 also transmits the SW/R signal to the 

102. While the MEMCLK signal is shown to have a 40 check point guardian circuit 120 (PAL circuit U13) to 

period of 400 nano-seconds (Le., a frequency 2.5 MHz), initiate an evaluation to be made on the address of the 

it should be understood that other suitable periods and dual-ported data memory 22 selected by the external 

duty cycles may be provided in the app ro p riate applica- entity for a write operation. In this regard, the guardian 

don. circuit 120 is progr amm ed to inhibit the transition 

On the stealth port side of the stealth interface circuit 45 needed in the chip enable signal VCE" for accessing 

16, a set of suitable buffers are also provided to handle the dual-ported data memory chips U11-U14, when- 

the transfer of address and data information. In this ever the address is outside of the mailbox section 26. 

regard, butler block 110 includes two 8-bit buffer cir- With respect to the sequence of operation for the 

cuits U1-U2, which receive address information from stealth interface circuit 16, it should be appreciated that 

the external stealth port 102. Similarly, buffer block 112 SO a memory read/write cycle from the stealth port 102 

includes two 8-bit buffer circuits U4-U5, which are must be initiated by the external entity seeking to access 

capable of transmitting and receiving data information the dual-ported data memory 22. This cycle is begun 

between the dual-ported data memory 22 and the stealth with the transmission of a bus request signal/BR from 

port 102. the external entity, such as front end computer 18a 

Additionally, the stealth interface circuit 16 includes 55 Upon the receipt of any bus request signals, the arbitra- 

a arbitration circuit 114 which receives bus request tor circuit 114 will transmit an active Low any-bus- 

signals from external entities on the stealth port 102. As request signal/ ANY—JBR to the PAL circuit U16. The 

shown in FIG. 5B, die present embodiment provides any-bus-request signal is directed to an internal flip-flop 

four individual channel lines for the incoming bus re- of the PAL circuit TJ16, which operates under the clock 

quest signals VBR1../BR4" Thus, the stealth interface 60 signal CP. Accordingly, die any-bus-request signal 

circuit 16 enables up to four different external entities to needs to be present before the tailing edge of the clock 

be connected to the stealth port 10Z The arbitration signal CP in order for stealth port access to occur when 

circuit 114 is shown in FIG. 4B to comprise a four input MEMCLK goes high, as shown in the timing diagram 

asynchronous bus arbiter circuit U9 which wDl grant of FIG. 5 A. If the latched any-bus-request signal is 

bus access to the first bus request signal received. In this 65 active, the stealth interface circuit 16 will begin a stealth 

regard, a specific bus grant signal VBGL./BG4" will port memory cycle Otherwise, the stealth interface 

ultimately be generated to inform the particular exter- circuit 16 wDl not initiate a stealth port memory cycle 

nal entity who won the bus that the channel is clear for until the next MEMCLK signal period. 
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When a stealth port memory cycle occurs, the time limited communication contract with each of the 

/SP—EN signal is generated from the PAL circuit U16. operator stations identified in the security table as hav- 

As indicated above, this signal will enable the address ing write command ability. Finally, FIGS. 6D-6E com- 

and data buffers on the stealth port. The /SP— EN sig- bine to illustrate the procedure for validating a write 

nal will also enable the arbitration circuit 114, which 5 command message sent from an operator station (eg., 

issues a specific bus grant signal /BG for the external operator station 72). 

user which wins the bus. Once the external entity de- Turning first to FIG. 6A, block 200 indicates that the 

tects its bus grant signal, then it may transmit either the front end computer "FEC" sends a broadcast message 

memory address it seeks to read or die address and data over the computer network 20 to request that the secu- 

necessaiy for a write operation. The chip enable signal 10 rity server 68 identify itself to this front end computer. 

/CE is delayed by the PAL circuit U13 to allow for the This message preferably utilizes the Ethernet protocol 

delay introduced from the address buffer 110, as the for security messages. The content of this broadcast 

address needs to.be stable before the RAM chips Ul- network message is generally shown in block 202. In 

1-U14 are actually accessed. this regard, the network message includes a destination 

For a stealth port read cycle, the data placed on the 15 address "FF-FF-FF-FF-FF-FF" which will cause the 
data bus 118 will become stable approximately 45 ns message to be sent to every entity that is operatively 
after /CE becomes active. In this regard, it should be . coupled to the PAN-1 and PAN-2 segments of the corn- 
noted that symbols such as *TCE" in the timing dia- puter network 20. The network message also includes 
gram of FIG. 5B, indicate the appropriate delay time the source address of the front end computer. The net- 
duration. A read latch signal RD LATCH directed to 20 work message also includes a type indication, namely 
the PAL circuit U16 may then be used by the external , T^QUEST^ECURITY_SERVER". In the data 
entity to either latch the data into the buffer 112 or portion of the network message, the CPU identification 
indicate that data is available For a stealth port write is given for the process control computer 12 to which 
cycle, the address lines on the address bus 122 will be the front end computer 18 is connected. Additionally, 
monitored by the guardian circuit 120 to ultimately 25 and importantly, the data portion of the network mes- 
permit or deny write access to the stealth port 102. sage also includes an unpredicable key, such as a 32 bit 
When write access is denied, the guardian circuit will random number. As discussed above, this random key is 
not generate the active Low chip enable signal /CE, used to verify the identity of the security server 68. 
and thereby restrict an external entity on the stealth Block 204 shows that the security server 68 will 
port 102 from writing to the particular address location 30 check all of the information in the broadcast network 
in the dual-ported data memory 22 that it has selected. message, such as the physical Ethernet address of the 
In this event, the guardian circuit 120 will also generate front end computer and the CPU ID of its process con- 

a write address valid signal "WR AD_ VAL", which trol computer 12. Assuming that this information corre- 

is transmitted to the PAL circuit U16 of the control sponds to the information stored in the security server 

circuit 116. The PAL circuit U16 will respond by gen- 35 for this front end computer, an acknowledgement mes- 

eraring a write address error signal "WR_^AD RKR" sage 206 will be sent back to the physical Ethernet 

for transmission to the external entity. The write ad- address of the front end computer. In order to enable 

dress error signal is active High and valid only during the front end computer to verify the identity of the 

the current memory access cycle, and this signal is com- security server 68, the acknowledgement message 206 

mon to all external entities. 40 includes a transformation of the random key sent from 

For stealth port accesses to valid write addresses, the the front end computer 18. As indicated above, this 

guardian circuit 120 will activate the /CE signal. Addi- transformation is performed with an encryption algo- 

tionalry, the SR/W signal from the external entity rithm which is unique to messages from the security 

should become active when the bus grant signal /BG is server 68. 

Low. The PAL U16 will also cause the write enable 45 Diamond 208 shows that the front end computer 18 

signal /WE for the RAM chips U11-U14 of the dual- will wait a predetermined amount of time to receive the 

ported data memory 22 to become active, and the rising acknowledgement message. If the acknowledgement 

edge of the /WE signal is used to write data into these message is not received within this timeout period; then 

RAM chips. the front end computer will use the last security table 

The control circuit 116 also includes a timer circuit 50 stored in its memory or the default security table if this 

U10, which will generate a CLEAR signal approxi- is the first rime the front end computer 18 is being 

mately ISO ns after one of the bus grant signals /BG brought into operation (block 210). However, if the 

becomes active The CLEAR signal is used to cause the acknowledgement message 206 is received in time, then 

tri-state buffers in buffer chip TJ8 to generate individual the front end computer 18 will check its random key 

bus grant clear signals "BG1_CLRJBG4_ CLR" to 55 against the transformed version of the key which was 

each external user. The CLEAR signal is also used to contained in the acknowledgement message (block 

clear the stealth port memory cycle by deactivating the 212). As indicated above, this comparison may be ac- 

stealth port enable signal /SP— EN. complished by either performing a transformation on 

Refering to FIGS. 6A-45E, a set of flow charts is the random key using the encryption algorithm for 

shown to further illustrate various aspects of the secu- 60 security messages or using a corresponding decyption 

rity and validation methods discussed above. In this algorithm. If the transformed key matches the expected 

regard, FIG. 6 A shows the part of the boot up proce- key number (diamond 214), then the front end computer 

dure of the front end computer 18 which is directed to 18 will proceed to the procedure shown in FIG. 6B for 

a search for the security server 68. Then, once the secu- transfering a copy of the current security table from the 

rity server has properly identified itself to the front end 65 security server 68 (block 216). Otherwise, the front end 

computer 18, FIG. 66 shows the procedure for transfer- computer will exit mis portion of the boot up procedure 

ing the security table (e.g., security table SI). Thereaf- and stop accumulating further network communication 

ter, FIG. 6C shows the procedure for establishing a capability (block 218). In one form of the present inven- 
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tion, the front end computer 18 may be permitted to reply to the watch-dog request message 248 within this 

conduct network communications at this point, but not timeout period, the front end computer 18 will make 

process any write command messages received from an additional attempts to make contact (diamond 256 and 

entity on the computer network 20, unto such time as a block 258). If a reply is not received from this operator 

security table is successfully transferred to the front end 3 station after all of these attempts, then the front end 

computer. computer 18 wiD disable the write command ability of 

Turning now to FIG. 6B, block 220 shows that the this particular operator station (block 260). However, it 

front end computer 18 starts the procedure for transfer- should be appreciated that this write command ability 

ing a copy of the security table by sending a request may subsequently be re-established, such as when an 

message to the specific (logical or physical) Ethernet 10 updated security table is transferred to the front end 

address of the security server 68. This physical Ethernet computer 18. In this regard, it should be noted that the 

address is the address learned and stored through the security server 68 may initiate the security table transfer 

boot up procedure discussed above in connection with procedure discussed above through a suitable network 

FIG. 6A. Block 222 indicates that this request message message to the front end computer 18. 

includes an identification of the CPU ID for the process 15 In the event that the operator station does reply to the 

control computer being serviced by the front end com- watch-dog request m essa g e, then the front end com-, 

puter 18. Additionally, the front end computer 18 will puter 18 will determine whether die transformed 

also inform the security server 68 as to whether this watch-dog key contained in the reply message matches 

CPU ID is for the Left process control computer 12a or the expected key number (diamond 262). If a match is 

the Right process control computer 126 through the 20 not found through this comparison (as discussed above), 

Mode data (eg., ML for the Left process control com- then the front end computer 18 will ignore the reply 

puter). message (264). At this point, the front end computer 18 

Once the security server receives this request mes- could again attempt to establish a time limited commu- 
sage, it wul check the data contained in the message, nication contract with this operator station or disable its 
and build a control message for the front end computer 25 write command abilities. In the event that a match was 
18 (block 224). As shown in block 226, this control found, then the front end computer 18 will copy the 
message wul inform the front end computer 18 how previous, valid watch-dog key of this operator station 
many bytes are contained in the security table for the from the current key position to the old key position 
process control computer identified in the request mes- (block 266). Then, the front end computer 18 wfll save 
sage. The front end co mp uter 18 will respond with an 30 the transformed watch-dog key received in the reply 
acknowledgement message that wfll contain a new ran- message in the current key position. As will be dis- 
dom key (blocks 228-230). The security server will then cussed below, the current and old keys are used to 
transmit the security table (e-g., security table SI for the evaluate the validity of write command messages from 
Left process control computer 12a) with the trans- the operator station during the period in which a time 
formed random key (blocks 232-234). The front end 35 limited communication contract is in force. In this re- 
computer 18 will then determine if the transformed key gard, it should be understood that the procedure shown 
matches the expected key (diamond 236). If the keys do in FIG. 6C is repeated for each of the operator stations 
not match, then the front end computer 18 will use the with write command privileges before the time limited 
old or existing security table stored in its memory communication contract expires in order to maintain a 
(block 238). Otherwise, the front end computer 18 will 40 continuous ability of the operator stations to have their 
store the new security table for use, and send an ac- write command messages processed by the front end 
knowledgement message back to the security server computer 18. 

(blocks 240-244). While the front end computer 18 Refering to FIGS. 6D-6E, these figures combine to 
could also be provided with the editing capability to illustrate the procedure for validating a write command 
create its own security table, it is preferred that a sepa- 45 message sent from an operator station (eg., operator 
rate network security server be employed in order that station 72) to the front end computer 18. Tins procedure 
the front end computer be dedicated to the functions begins with an operator station sending a write corn- 
identified above. mand message to the front end computer 18 (block 268). 

Refering to FIG. 6C, the procedure for establishing a This message preferably utilizes the standard Ethernet 
time limited communication contract is shown. The 50 protocol for communication between the front end 
front end computer 18 begins by creating a new watch- computer 18 and other entities on the computer net- 
dog key, which is represented by a 32 bit random num- work 20. In this regard, the write command message 
ber (block 246). The front end computer 18 will then will include not only the variables) sought to changed, 
send a watch-dog message in turn to the physical Ether- but also the watch-dog key from the time limited com- 
net address of each of the operator stations (identified in 55 muiucauon contract, the CPU identification of the re- 
the security table as having write command message cipient process control computer, and the pr ogr am 
capability). In this regard, it should be appreciated that version identification of this process control computer 
these are individual watch-dog messages which include 12. The front end computer 18 wul then perform sev- 
a new watch-dog key for each message (block 248). . era! checks on this write command message. For exam- 
Each operator station which receives such a watch-dog 60 pie, the front end computer 18 will examine the security 
message will respond with a watch-dog reply message table to determine if it has an entry for this particular 
that includes a transformation of the watch-dog key operator station (diamond 270). If this operator station 
(blocks 250-252). was not found in the security table, then the front end 

Since it is possible that an operator station may not computer wul return the write command message to the 

currently be in communication with the computer net- 65 operator station and create a stored log of this error 

work 20, the front end computer 18 wul preferably wait (block 272). 

for a suitable timeout period for a reply, such as ten Assuming that the operator station was identified in 

seconds (diamond 254> If the operator station does not the security table, then the front end computer wul 
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check the security table to determine if the write com- 
mand bit was set for this operator station (diamond 274). 
At this point, it should be understood that the security 
table contains not only the Ethernet address of every 
valid entity on the computer network 20 who can com- 5 
municate with the front end computer, but also an indi- 
cation of whether these entities have write command 
privileges. The security table may contain additional 
information pertaining to each of these entities, such as 
a CPU identification and whether or not these entities 10 
may request specific types of information from the pro- 
cess control computer, such as alarm messages. If the 
security table does not have the bit set to indicate write 
command privileges, then the front end computer will 
return the write command message to the operator 15 
station (or other source entity), and log this error (block 

In the event that the operator station does have write 
command privileges, then the front end computer will 
determine whether or not the watch-dog key (contained 20 
in the write command message) matches either the cur- 
rent or old watch-dog keys (diamond 278). If a match is 
not found, then the front end computer will return an 
invalid watch-dog message to the operator station 
(block 280). If a match was found, then the front end 25 
computer will preferably check to see if the program 
version identification contained in the write command 
message matches the program version identification 
stored in the front end computer for the recipient pro- 
cess control computer 12 (diamond 282). If these pro- 30 
gram version identifications do not match, then the 
front end computer will return an invalid program ver- 
sion message to the operator station (block 284). 

The front end computer 18 win also check to see if 
the write command message contains an indication that 35 
the permissive table for the recipient process control 
computer should be bypassed (diamond 286). The abil- 
ity to bypass the permissive table may be considered a 
special privilege which should require the use of a pass- 
word or physical key which is assigned to the operator 40 
with this privilege. If the bypass bit was set in the write 
command message, then the front end computer will 
still preferably check the permissive table (eg., permis- 
sive table 80a) to determine if a bypass is permitted for 
the specific permissive table or table section that would 45 
otherwise be addressed (diamond 288). If a bypass of 
this permissive table is not permitted, then the front end 
computer will return a message to the operator station 
to indicate that no write access is available in this way 
(block 290). If a bypass of the permissive table is permit- 50 
ted, then the front end computer will transmit the write 
command message to the recipient process control com- 
puter with a transformed version of the program ver- 
sion identification stored in the permissive table of the 
front end computer (block 292). The recipient process 55 
control computer 12 may then determine whether this 
transformed program version identification matches the 
program version identification of its operating program 
before deciding to change the variables) listed in the 
write command message. 60 

In the event that the write command message does 
not have the bypass bit set, then the front end computer 
18 will examine the permissive table to determine if the 
the variable^) to be changed have their write command 
bit set (diamond 294). If the write command bit is not set 65 
for any one of these variables, then the front end com- 
puter will return a no write access message to the opera- 
tor station (block 296). Otherwise, if the front end com- 
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puter determines that the write command message is 
acceptable, then it will transmit the message to the re- 
cipient process control computer as discussed above 
(block 292). 

Refering to FIG. 7, a block diagram of the applica- 
tion software 300 for the front end computer 18 is 
shown. In this regard, FIG. 7 shows the interaction of 
the application software with the Q-bus 302 of the front 
end computer 18 and with the Ethernet services 304 for 
the computer network 20. Thus, for example, a bi-direc- 
tional line is provided between the Q-bus 302 and the 
IFQ driver 308. The IFQ driver 308 represents the 
device driver software for controlling the communicat- 
ing with the CPU of the front end computer 18. The 
IFQ driver 308 is coupled to the "MI Sync*; subsystem 
310 through a da t astore event 312. In this regard, the 
MI Sync subsystem receives notification of DMA com- 
pletions from the IFQ driver 308, such as when the 
SDSS data from one of the process control computers 
\2a-X2b has been completely received in the appropri- 
ate Interim buffer (e.g., Interim buffer 46a or 486). The 
reflective memories 46a-56a from FIG. 1 are shown in 
FIG. 7 as reflective memories 3 14. FIG. 7 also illus- 
trates that the reflective memories 314 are operatively 
coupled to the Q-bus 302 of the front end computer 18. 

The MI Sync subsystem 310 represents that portion 
of the application software 300 which is responsible for 
synchronizing the incoming SDSS and DSS data 
frames from each of the process control computers 
12<i-12& through the operation of the reflective memo- 
ries 314, as discussed above. The MI Sync subsystem 
also notifies the "MI MQELHealth" module 316 and 
"System Messages" module 318 when a data frame is 
available for processing. Additionally, the MI Sync 
suteystenxllO^is also usedjo detect whether or not 
reflective memory updates are not occurmg, such as 
when one of the process control computers has stopped 
sending data to the front end computer 18. This proce- 
dure is implemented through the "MOD Status'* mod- 
ule 320.and the "MI Watchdog" mo dulgJ22. The MI 
Watchdo g mo d ule 322lises a two-second Jimer to ,de=. 
tect iLthe front end computer 18 has stoppeBlecetvin g 
data^from-eitheiLJof the process control computers 
Ua-Ub. _ 

The MI MOD Health module 316 processes health 
bit changes in the data being received by the front end 
computer 18 from the process control comput ers 
12fl-12k In this regard, theTSTSoBHealth module 
316 sends these changes to the "EVT Event Handler" 
module 324. Similarly, the MI System Messages module 
318 processj» incoming sy^em.inessages^fronxUie pro- 
cess cpntrol computers, and it queues any requests to 
the EVT EvenTttandler module 324. The EVT Event 
Handler module 324 processes event buffers, formats 
text for output to the Print Services module 326, and 
records errors and other events in an event log. 

The reflective memories 314 are coupled to the "MI 
CISS Memory Read" module 328, which performs read 
operations on the reflective memories. In this regard, 
the MI OSS Memory Read module 328 formats query 
responses into die standard Ethernet protocol for trans- 
fering data/messages, and directs the response to the 
requesting network entity via port 330. The "NI CISS" 
module 332 receives incoming query requests from a 
network entity using the standard protocol for transfer- 
ing data/messages. The NI CISS module 332 performs 
an initial security check on the message, and routes the 
request to the appropriate process as determined by the 
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message type. For example, the NI CISS module 332 tion necessary to configure the front end computer 19a 

will route a read data message to the MI CISS Memory on boot op. In this regard, the CFG Config Manager 

Read module 328, Additionally, the NI CISS module module 352 is responsive to requests from the MIF 

332 will route program download requests to the "MI Master Process module 354 to perform these configura- 

Download Handler" module 334. Other request mes- 5 tion activities. In other words, the CFG Config Man- 

sages will be routed to the "MI Message Services'* ager module 352 will locate the security server 68 

module 334. through the broadcast network message (as described 

The application software 300 also includes modules above) and load the security table SI which is ulu- 

which facilitate communication with a User Interface. mately received from the security server. Additionally, 

In this regard, the User Interface is used to provide a 10 the CFG Config Manager module 352 will also load 

window into the operation of the front end computer both of the permissive tables S0a-82a from the down- 

18, as opposed to an interface to one of the process load assistant 78. The CFG Config Manager module 

control computers 12a-12& The User Interface soft- 352 also recieves a memory map for each of the process 

ware may be accessed "locally" through a terminal control computers 12a-12b, such as the memory map 

connected directly to the front end computer 18. The 15 356 shown in FIG. 8. The memory maps are used to 

User Interface software may also be accessed "re- enable the front end computer ISa to build the transfer 

motely" through an application that could be run from tables (eg., transfer table 37) and interpret the data 

the security server 68. The User Interface is used to received in each of the reflective memory buffers 314. 

disable or re-enable network communications for a spe- In other words, each of the memory maps identify the 

cific protocol, perform diagnostic functions, re-boot the 20 data which is stored in each addressable location of the 

front end computer 18, monitor reflective memory up- dual-ported data memory 22 for each of the process 

dates, monitor network activity, and otherwise manage control computers 12o-12£l As part of this process, the 

access to privileged front end computer functions. memory map divides the dual-ported data memory 22 

The application software modules that handle User of the process control computer 12 into logical seg- 

Interface requests are the "NI Remote User" module 25 meats. The first set of segments are used for SDSS data 

338, the mi Local" module 340 and the "UI Services" values, while the DSS data values include the SDSS 

module 342, The NI Remote User module 338 receives memory segments, as well as additional segments, 

all messages having the protocol for User Interface As discussed above, the MI Sync subsystem 310 is 

communicat ions, and it forwards valid requests to the responsible for grouping the DMA completion events 

UI Services module 342. The UI Services module 342 30 relative to the transfer of SDSS and DSS data for both 

provides a data server for both local and remote user process control computers 12a- 126 into a cohesive pair 

requests. The UI Local module 340 handles the local of data tables that represent data for a given process 

User Interface display s creen s in order to display re- control cycle snap-shot: For purposes of this discussion 

sponses on the local terminal. these DMA completion events will be referred to as the 

The application software 300 also includes an "NI 35 Left SDSS buffer, the Right SDSS buffer, the Left DSS 

Transmit Done" module 344, which receives notifica- buffer and the Right DSS buffer. The exact order in 

tion of Ethernet-write completions and maintains a free which these data buffers are received may vary, but the 

queue of network interface transmit message buffers. SDSS buffers will precede the DSS buffers. 

Additionally, an "EVT File Maint" module 346 is used The MI Sync subsystem 310 is responsive to the 

to delete aged event log files. Furthermore, an "NI 40 above identified DMA events. In this regard, the MI 

Watchdog" module 348 and an "NI SCSF' module 350 Sync subsystem 310 will wait for the completion of a 

to tmpfetnftnt the watchdog security process rifcensseri DMA event, and then check the status to determine the 

above In this regard, the NI Watchdog module 349 type of buffer received. If the buffer received is an 

sends watchdog request messages to the operator sta- SDSS buffer and the front end computer 18 has already 

tions, and the NI SCSP module 350 processes the reply 45 received a corresponding DSS buffer, then final com- 

messages (as well as all other network messages using pletion processing will be performed. Likewise, if the 

the security protocol). The NI Watchdog module 348 buffer for this type has already been received, final 

also checks to see if reply messages were received to completion processing will be performed. If the buffer 

each of me watchdog request messages. received is not the first buffer, then the MI Sync subsys- 

Other than watchdog reply messages, the NI SCSP 50 tern 310 win check the time difference between the 

module 350 forwards all other security protocol mes- current time and the time at which the first buffer was 

sages to the "CFG Config Manager" module 352. The received. If this difference exceeds a predetermined 

CFG Config Manager module 352 processes the seen- tolerance, such as 0.7 seconds, then the steps for final 

rity requests and performs the initial loading of the completion processing will be performed. If this is the 

permissive tables 80o-82a The CFG Config Manager 55 first buffer (eg., the Left SDSS buffer), then the time 

module 352 also performs the loading of a memory map that this buffer was received will be recorded. If this 

to be discussed below in connection with FIG. 8. The buffer was not expected at this point, then its status will 

application software 300 also includes a "MIF Master be changed to expected. The pointer to this buffer will 

Process** module 354> which perforins the basic initial- also be recorded, and the buffer will be marked as re- 

ization routines to create all of the other front end com- 60 cefved. 

puter processes. The MIF Master Process module 354 is The MI Sync subsystem 310 will also check to see if 

also used to detect an unexpected termination of any of all expected buffers have been received (e.g., the LefV- 

these processes. Right SDSS and Left/Right DSS buffers). If all the 

Refering to FIG. 8, a diagrammatic illustration of the expected buffers have been received, then final comple- 

configuration for the front end computer 18a is shown. 65 tion processing will be performed. During final comple- 

Specifically, FIG. 8 illustrates that the CFG Config tion processing, the buffer pointers for the received 

Manager module 352 interacts with the security server buffers will be copied to a system data structure which 

68 and the download assistant 78 to obtain the informa- will allow other applications to access this data. This 
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procedure is protected by a mutual exclusion sema- 
phore, which is referred to as the "mutex". Addition- 
ally, the error counters will be zeroed for all received 
buffers. If any expected buffers were not received, the 
associated error counters will be incremented. If the 
error counters exceed the allowed threshold, then the 
affected buffers will be marked as not expected. Then 
all buffers will be marked as not received in order to set 
up the processing for the next set of buffers. Applica- 
tions that access the memory buffers received may then 
copy the buffer pointers out of the shared system data 
structure for use. 

In order to more fully illustrate the operation of the 
MI Sync subsystem 310, a module synopsis and the 
pseudo-code for this software will be presented below. 
Additionally, the data structures for the reflective mem- 
ory buffers 314 will also be set forth as well to assist the 
interpretation of the pseudo-code. The data structures 
are contained in Tables 1-3, the module synopsis is 
contained in Table 4, and the pseudo-code follows im- 
mediately thereafter. 

TABLE 1 



Reflective Memory Data Structures 
Data Item Data Format Description 
Data Structure Ml RM DATA 



RM_MUTEX Mutex 

RM-STATUS Word 

LEFT— SDSS— PTR Pointer 

RIGHT_SI>SS_PTR Pointer 

I .FFT—DSS— PTR 



Mutex used to protect this 

data structure 

Indicates current r efl ective 

memory statu s 

Pointer to current left 

SDSS reflective memory 

buffer 

Pointer to current left 
SDSS reflective memory 
buffer 

Pointer to current left 
DSS reflective memory 
buffer 
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TABLE 1-continued 



Reflective Memory Data Structures 
Data Item Data Format Description 

Data Structure MI RM— DATA 



10 



15 



RIGHT— DSS PTR Pointer 

FOX— DSS— PTR Pointer 

DOG DSS PTR Pointer 

FOX-MAP-PTR Pointer 

DOG_MAP_PTR Pointer 

FOX-SIDE Longword 



20 DOG_SIDE 



Longword 



LEFT— INFO_BYTE Byte 



25 
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RIGHT— INFO— Byte 
BYTE 



FOX— INFO— BYTE Byte 



DOG_TNFO_BYTE Byte 
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Pointer to current right 
DSS reflective memory 
buffer 

Pointer to current fox DSS 
reflective memory buffer 
Pointer to current dog 
DSS reflective memory 



Pointer to current memory 
map (left or right) for 
the current fox buffer 
Pointer to current memory 
map (left or right) for 
the current dog buffer 
Indic a t e the channel that 
is the fox. 0 = left, 
1 = right. 

— 1 = undefined. 
Iri riV at '* < the channel that 
is the dog. 0 a left, 

1 - right, 

— 1 = rniHrf rnwl 

Info byte for outbound 
CISS requests satisfied 
from the left buffer. 
Includes fox/dog status. 
Info byte for outbound 
CISS requests satisfied 
from the right buffer. 
Includes fox/dog status. 
Info byte for outbound 
CISS requests satisfied 
from the fox buffer. 
Includes left/right status. 
Info byte for outbound 
OSS requests satisf ied 
from the dog buffer. 
Includes left/right status. 



TABLE 2 



Reflective Memory Data Structures 
Data Item Data Format Description 

Data Structure ML_RMBMS(4] - Structure Array 

NOTE: The Reflective Memory Buffer Management Structure (MI RMBMS) 

array consits of four MI_RMB__STATUS_TYPE (define below data 
structures. Each RMBMS entry is used to keep track of a specific 
reflective memory type (left/right SDSS and DSS). Symbolic indices 

are defined to access this array: Ml RM I. SDSS, MI RM V SPSS, 

ML-RM I . D SS, and MJLRM D DSS. 

LAST—RECEIVED Time Specifies the time of receipt of the last buffer for 

this type. 

DMA— EVENT Object Contains the VAXELN object ID for the event 

Variable signaled by EFQ Driver when a DMA completion 
for this type of memory buffer completes. 
ENABLE— EVENT Object Contains the VAXELN object ID for the event 

Variable signaled by calling ML-ENABT.E STROBES to tefl 
MI Sync that strobes have been enabled. 
DISABLE. EVENT Object Contains the VAXELN object CD for the event 
Variable signaled by EFQ Driver when a DMA com pl etion 
for this type of memory by calling 
Ml DISABLE STROBES to tefl MI Sync that 
strobes have been ritsahrirri 

Contains a pointer to the DMA buffer received for 
this memory type in the current time window. 
Reset to null by MI Sync upon copying pointers to 

MI RM— DATA 

Longword Longword bit masks indicating the status of this 
reflective memory buffer. The individual bit fields 
are listed below. 

RMB— STS_ Bit Bit in RMB— STS that 
V_ indicated that the awx riatf d 

EXPECTED strobe for this reflective 

memory type is enabled, 
thus indicating that DMA 
completions are expected. 
RMB— STS— Bit Bit in RMB— STS used by 



PENDl— BUFF— PTR Pointer 



RMB— STS 
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TABLE 2-continued 



Reflective Memory Data Structures 
Data Item Data Format Description 
Data Structure MI— RMBMSfe] - Structure Array 



CONS_ERR_ 
COUNT 

DMA— ERR__COUNT 
ADSB 



BUFFER PTR. 



Longword 
Longword 



Array(81 



BUFF— HIST_IDX 
BUFF— HIST.JPTR 

MOD-TASK 



Longword 

Pointer 
Array{8] 



Longword 



V— 

RECEIVED 



RMB — STS — 
DSS, BUFF 



Bit 



MI Sync to indicate that a 
DMA completion for this 
reflective memory type has 
occurred to the current 
DMA time window. Cleared 
whenever a complete set of 
buffers has been received, 
and then set for each 
individual buffer type as it is 
received. 

Indicates if the reflective 
buffer type in question is 
either for the left or right 
DSS reflective memory 
buffer. 

Ifl d icates if ^he associated 
strobe is en abl ed. 



RMB — STS— 
V_ 
ENABLED 

Specifics the number of co n secutive receive failures 
for this buffer type. 

Specifics the number of consecutive DMA 
completion failures for this buffer type. 
Specifies the Asynchronous Data Status Block used 
by the drive to indi c a t ed DMA completion status. 
This structure is of the IFQSu-ADSB type and 

The BUFFER— PTR array the addresses of up to 
eight DMA buffers used for this reflective memory 
type, in the order die buffers where specified in die 
IFQS— ENABLE— DSS or SDSS call. This array is 
subscripted by the buffer number field returned in 
the ADSB to retrieve the base address of the DMA 
buffer just received. This Hirii#noion of this array 
allows for the raaaiiyuiin number of DMA buffers 
supported by die IFQ driver. 
Index to the BUFF— HIST— PTR array. Indicates the 
most recently updates buffer. 
Circular buffer of most recently received DMA 
buffers. Tndiratrs the buffers received in the last 
eight seconds. BUFF— HIST— IDX points to the 
most recent entry. 

Indicates the POC task state as indicated by the 
most recent reflective memory update. Valid only if 
RMB— STS— V_ DSS— BUFF is set 
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TABLE 3 



Reflective Memory Data Stractuics 
Data Format Description 
Data Structure MT RM AUX 



LAST-PSS T, PTR Pointer 



LAST DSS R PTR Pointer 



WD— FLAG 



DMA— BUFFER- 
COUNT 



Longword 



Longword 



Pointer to most r e cent left 
DSS buffer. Set by MI 
Sync and used by MI 
Health Check and MI 



Pointer to most recent 
right DSS buffer. Set by 
MI Sync and used by MI 
Health Check and MI 



TIME— CHANGE Event Object Set 



Flag used by MI Sync and 
MI Watchdog to check 
for MI Sync activity. 
Specifies toe number of 
DMA buffers currently in 
use. Copi ed mom 
MIF_MPJSTUM_ 
DMA— BUFFERS on 
startup. 

when a time change 



TABLE ^-continued 



Reflective Memory Data Strnctnrea 
Data Item Data Format De sc ri pti on 

Data Structure ML-RM-AUX 



50 



SYSMSO I. SEMA Semaphore 
Object 



55 



SYSMGR— R SEMA Semaphore 

Object 



60 



HEALTH L— SEMA Sem aphor e 



Object 



HEALTH— R SEMA Semaphore 

Object 



65 



i Telh MI Sync to 
s tune of 
the first DMA rece i pt. 
Set by MI Sync to trigger 
MI System Messages to 



Set by MI Sync to trigger 
Ml System Messages to 
process right reflective 
memory. 

Set by MI Sync to trigger 
MI Health Check to 
process left reflective 



Set by MI Sync to trigger 
MI Health Ch r rk to 
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TABLE 4 



Data Item 



Reflective Memory Data Structures 
Data Format Description 
Module Synopsis for MI— SYNC—MAIN 



ABSTRACT 
MODULE TYPE 
EVENTS/ 
SEMAPHORES 



Synchronizes receipt of m -incoming DMA buffers 
Process mafnlme 
MI_RMBMS(*X 
DMA— EVENT 



OTHER INPUTS 



MI—RMBMSC*). 

ENABLE— 

EVENT 



ML_RMBMS(*)- 

DISABLE— 

EVENT 



ML-RM_AUX_ 
HEALTH T. 
SEMA 

ML-RM-AUX 

HEALTH— R 

SEMA 

ML_TM-AUX_ 
SYSMSG I. 
SEMA 

Ml—TM AUX_ 

SYSMSG_R_ 
SEMA 

MT RMBMSQ. 



DSS data buffer 



OUTER OUTPUTS ML_ RM_ DATA 



CALLED 
ROUTINES 



CONDITION 
CODES 



ML_RM-AUX 
WD— FLAG 
KERSWAIT—ANY 

KER$CLEAR_EVENT 

KERSLOCK MUTEX 

K£RTUNU)Cr^-MUrEX 
MIF_NORMAL 
MIF_1FQ ERROR 
MIF—APF— ERROR 



The four (left/right DSS/SDSS) completion events 
signaled by the EFQ Driver process on receipt of a 
new reflective memory buffer. Indices to the 
MUMBMS array are ML-RM T. DSS, 

ML-RM—R DSS, ML-RM I. SPSS and 

MI-RM-R-SDSS. 

The four (left/right DSS/SDSS) DMA enable 
events. These are signaled by 
MI—ENABLE— STROBES to notify MI Sync of 
changes in the receipt of SDSS and DSS DMA 



The four (left/right DSS/SDSS) DMA disable 

events. These are signaled by 

MT DISABLE. STROBES to notify MI Sync of 

changes in the receipt of SDSS and DSS DMA 

updates. 

Signaled to tell MI MOD Health to process left 
health bits. 

Signaled to tell MI MOD Health to process right 
health bits. 

Signaled to tell MI System Messages to process 
left system messages. 

Signaled to tell MI MOD Health to process right 
system messages. 

Asynczonons Data Status Blocks for each of the 
four DMA completion events. 

Accessed at offset MI— TASK STATE I. or 

MI— TASK STATE — R to determine FOX/DOG 



Structure containing current reflective memory 
pointers. 

Set to 1 to radicate receipt of data. 



MI— SYNC—MI Pseudo-code 
PROGRAM MI— SYNC— MAIN 
waiting for first— DMA => true 
REPEAT 

/* Issue the wait any for the four DMA completion events, 

the an enable or disable of strobes, or thne changes; V 
CALL KERSWAIT— ANY with MI— RMBMSfO]. DMA— EVENT, 
Ml— RMBMS(1]>DMA— EVENT, 
ML_RMBMS[2LDMA— EVENT, 
MI— RMBSM(3]_DMA— EVENT, 
Ml— RMBMSfOJJ&NABLE— EVENT, 
MI— RMBMSflLENABLE— EVENT, 
ML-RMBMSpLENABLE— EVENT, 
ML_RMBMSp].ENABLE— EVENT, 

MI RMBMS[0]. DISENABLE—EVENT, 

ML-RMBMgllDISENABI.F. EVENT, 

MI RMBMS[2L DISENABLE EVENT, 

MI— RMBMS{3]J)ISENABLE— EVENT, 
Ml— RM—AUX.1TME— CHANGE, 
and wait— result 
RMBMS— ida » (wait— result — 1) MOD 4 
cay iria = wait— result DIV 4 
CASE [case— ida] 

[0] Cafl DMA — Completion 

[I] CaD DMA Enable 

[2] Call DMA-Disable 
[3] Call Time— Change 
ENDCASE 
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-continued 

REPEAT for i ^ 0 to 3 

still waiting = MI_RMBMS(i)JtMR_STSu-V— EXPECTED is set 
and RMB—STS—V— RECEIVED is dear 
UNTIL (still- waiting or final iteration) 
IF * still waiting THEN 

We have a complete set of buffers; 

Check MOD TASK values for valid combination 

CALL update pointer (MIF— NORMAL) 

waiting for— first DMA = true 

END IF 

UNTIL MIF shutdown required 
EXIT 

SUBROUTINE DMA—Completion 

CALL KERSCLEAR EVENT MI_RMBMS[RMBMS frtrj.DMA — EVENT 

MI— RM_ AUX.WD— FLAG - 1 
current tune — Current system time 
IF waiting for— first DMA 

fi^yt^ ^jynft o^if ^ ^ti^ ti 

waiting for firet DMA = &lse . ... 

ELSE 

If current— time — first rim* time > MI Svnc— TOLERANCE 
Log Error "Out of sync-Did not receive required DMA" 
Check for excessive failures: 
FOR i « 0 to 3 

IF MI-RMBMSplRMS STS-V-EXPECTED h set 
and RMB STS— V_REC£IVED is clear 
ML_RMBMSHFEND-BUFF__PTR = nofl 
Log Error "Failed to receive DMA for [DMA type]" 
MI— RMBMS p].RMB— CONS— ERRORS 
RMB— CONS—ERRORS + 1 

IF ML- RMBMS[i]-RMB_ CONS . ERRORS > tolerance then 
Log Error "No longer expecting [DMA typej- 
too many consecutive numrcs M 
(broadcast error message) 

END IF " M - ■ ^ 

ENDIF 
ENDFOR 

Update pointers with available data: 
CALL update— pointers (MIF— NO SYNC) 

fijBt fttnt* ^5 CPn PCttt ttHftfl. 

/* F&D tfaxou£fa to use thfc buffer zs the first buffer 

in the next set ... V 
ENDIF 
ENDIF 

If buffer type is SDSS and DSS and corresponding DSS received, 

th m CALL wpri*** rftyint cn 
ENDIF 

WITH ML_RMBMS(RMBMS_j£fa) 

If *JtMB_STS_V— RECEIVED is set 

Log Error C*Ooat of Sync- DMA collision") 
CALL nprtatr pointers (MIF— DMA— COLL) 

first dma time = current time 

/* Fall through to use this buffer as the first 
in the next set ... V 

ENDIF 

IF •JLMB—STS—V— EXPECTED is not set 

Log Error ("Unexpected DMA c omplet ion' 1 ) 

ENDIF 

If *\RMB-STS-V— DISABLED is set 

Log Error ("Received complctr for diabled strobe**) 
Return 

ENDIF 

Check DMA completion status in ADSB 
IF error 

».CONS FEB .COUNT = •.CONS-ERR-COUNT + 1 
IF * CX)NS-ERR_jCOUNT < 5 Then 

Log Error ("DMA failure on channel**) 

ELSE 

IF «.CONS RRR— COUNT MOD 300 = 1 
Log Error ("DMA soil failing**) 
ENDIF 

ENDIF 

FT jCT? 

•CONS^BRR_COUNT = 0 

ENDIF 

nn- buffcr — ptr • JBUFFER— PTR|"ADSB.buffer_ rmn±>CT - 1) 

•.RECEIVED DATE— TIME = current time 

• FEND— BUFF—PTR = nn— b arter- ptr 

•JtMB— STS— V— EXPEcibU = true 

Set *-RMB— STS- V_R FCEIVED 

IF •UMB—STS—V— DSS— BUFF is set 
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get mod state using rm-.buffcr.-ptr offset by • JIM— TASK— OFFSET 

• .MOD-TASK = mod state 

IF RMBMS-EDX = ML-RM T. OSS 

ML_RM_-A.TJX.LEFT— RM— PTR = rm huffer— ptr 

Signal ML-RM AUXJBEAJLTH L FVENT 

Signal ML-RM— AUX^YSMSO L EVENT 
ELSE 

MI — RM_ AUX.IUGHT— RM_ PTR = imJbuffer pfr 

Signal MI_ RM AUX. HFALTH R EVENT 

Signal MLRM AUX.SYSMSG— K EVENT 

ENDIF 
ENDHF 
ENDWITH 
RETURN 

END SUBROUTINE 

SUBROUTINE DMA—ENABLE 

dear MLJlMBMS[RMBMSLJd_]J>MA_JENABLE (KEOCLEAR— EVENT) 
MI_RMBMS ptMBMS-Jdx3-RMB_STS—V_ DISABLED = fake 
ML_RMBSM [RMBMS_idx].RMB-STS_V.JEXFECTED = true 
RETURN 

END SUBROUTINE 

SUBROUTINE DMA DISABLE 

dear ML_RMBMS [RMBMS— idxJ.DMA DISABLE 

(KERSCI .F.AR EVENT) 

ML-RMBMS [RMBMS-idx]JtMB_STS_V__DISABLE = true 

ML-RMBMS [RMBMS ttht}.RMB STS—V— EXPECTED - false 

MI_RMBMS [RMBMS - .idxjPEND— BUFF_JTR = Null 
RETURN 

END SUBROUTINE 

SUBROUTINE TIME—CHANGE 

CAlXKER$Cl__AR__EVENTwi_i MT Rm AUX.TIMF CHANGE 
current — tune — Current system time 
fir s t— c hna . time <=» current— time 
RETURN 

END SUBROUTINE 
SUBROUTINE update— pointers (state) 

Lock MI— RM_ CLOBALS mutex 

MI_RM_DATARM— STAIUS « state 

Copy the LEFR/SIDE SDSS/DSS pointers: 

ML-RM— DATA I FFT-SDSS-PTR = 

ML-RMBMS (ML-SDSS T, TDX_ }PEND_BUFF_PTR 

MI— RM_DATAJUGHT_SDS__PTR 

ML4MI SPSS R IDX)J>END_BUFF-FRT 

MI—RM— DATAXEFT—DfiS -PTR « 

ML-RMBMS (MI DSS I IDX).PEND_BUFF-PTR 

M1_RM_DATAJUGHT_DSS-PTR = 

ML-RMBMS (MI DSS..R, IT)X).PEND— BUFF— PTR 

dear FOX/DOG pointers: 

MI-RM_DATAFOX_DSS-PTR = null 

ML-RM-PATAJ-OG-DSS-PTR = moD 

ML_RM__DATA.FOX_MAP— FTR = null 

ML_ RM— DATAIXXi— MAP— PTR = null 

Mark the mfo byte as **not prime"* nntO proven otherwise: 

dear ML-RM—DATAJUGHT— INFO— BYTE prime bit /* BitO V 

dear MI RM— DATAXEFT—INFO— BYTE prime bit 

Set Fox side and dog side to "tmknown" (I): 

MI_ RM__DATAJFOX SIDE - -1 

ML_RM_J>ATAJXX3-SIDE « -I 

Determine new FOX/DOG Trrfhrm-tww 

IF ML-RMBMS (MI DSS T, TDXXMOD-STATUS = fox status or eagle status 
ML-RM-DATAJFOX-DSS PTR = 
ML-RMBMS (MI DSS I. n^X)JEND— BUFF—PTR 

ML-RM DATA FOX MAP— PTR - Addr (MEMORY—MAP I. TABLE) 

Set ML_RM__DATA_FOX_JNFO_BYTE left/right bit /•bhOV 
Set MLJUS__DATA.I_eFT_INFO_BYTE prime bit /• bit 2 V 
ML_RM_ DATAJFOX— SIDE « 0/* Left */ 

IF ML-RMBMS (MI DSS R IDX)iMOD-STATUS = dog— status or "task B" 
ML-RM DATAJDOG— DSS— PTR = 

MI— RMBMS (MI—DS&-R— IDX).PEND— BUFF— PTR 
MI— RM—DATA-DOG— MAP—PRT = Addr (MEMORY— MAP— L—TABLE) 
dear ML-RM— DATAJDOG— INFO—BYTE left/right bit 
MI— RM— DATAJDOG— SIDE = 1 /* Right • 
ENDIF 
ELSE 

IF MT RMBMS (MI DSS R IDX)>MOD— STATUS = tax status or eagle status 
ML-RM— DATA.FOX DSS PTR = 

ML_RMBMS (MI DSS K TDX>PEND— BUFF— PTR 
ML-RM— DATAJK)X— MAP— PTR. « Addr (MEMORY— MAP— R— TABLE) 
dear MI— RM— DATAJFOX— INFO_BYTE left/right bit 
Set Ml—RM— DATA.RIGHT—INFO— BYTE prime bit 
MI— RM_ DATAJFOX SIDE « I /» Right V 

IF RMBMS (ML_ DSS T. IDX)JtfOD-STATUS = dog-status or "task B" 
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-continued 

MI-RM-J>ATAJXXj_DSSL_FrR « 
MLJLMBMS (MLJPSS T. TDX)JEND JUFF-PTR 

MLJ&M_J>ATAJDOG__MAP_PTR = Addr (MEMORY—MAP T. TABLE) 

Set ML.RM-DATAJXXj_INFO.BYTE left/right bit 

ML_RM—DATAJXXj.. . SIDE = 0/*LeftV 
ENDIF 

ENDEF 
ENDIF 

Release MI_JtM_GLOBAlS mutcx 
Clear oo nt r xl : 
FOR i « 0 to 3 
MI—RMBMS ©J^END-JBUFF-JTR = null 
Clear MLRMBMS (i>RMB_STSL_V_RECERVED 
ENDFOR 
END SUBROUTINE 
ENDPROGRAM 



Refering to FIG. 9, a diagrammatic illustration is 
shown of the relationship between the reflective mem- 
ory buffers 314 in the front end computer 18a, the trans- 
fer map 37 in the IFS circuit 28 and the dual-ported data 20 
memory 22 in the process control computers 12a-12o. 
For purposes of illustration, the data memory 22 is 
shown to include only two segments. The transfer map 
37 indicates that data memory addresses 2000 to 2002 
(hex) in the first segment, and data memory addresses 25 
4100 to 4105 (hex)in the second segment are to be trans- 
ferred to the reflective memory buffer 46a More specif- 
ically, it should be observed that the transfer map 37 
creates a block of contiguous data elements from mem- 
ory locations in the data memory 22 which are not 30 
necessarily contiguous. 

Refering to FIG. 10, a block diagram of the IFS 
circuit 28 is shown. In this block diagram, the individual 
transmitters and receivers (e.g^ transmitter 38a and 
receiver 40a) are shown in a single block 400 which also 35 
includes the AT&T ODL200 series fight converters. 
The IFS circuit 28 also includes control blocks 402-404 
which govern the transfer of data/address signals to and 
from the transmitter/receiver block 400. In this regard, 
the IFS circuit 28 includes both an address buffer 406 40 
and a data buffer 408 to facilitate these signal transfers. 
An address latch 410 is also provided for sending a data 
memory address to the stealth port Similarly, a trans- 
ceiver 412 is provided to enable the IFS circuit 28 to 
send or receive data information via the data bus of the 45 
stealth interface circuit 16. 

The IFS circuit 28 also includes a stealth timing and 
control circuit 414. The stealth timing and control cir- 
cuit 414 includes one or more Programmable Array 
Logic circuits to implement a state machine for process- 50 
ing specific signals to or from the stealth interface cir- 
cuit 16. For example, when the SDSS signal is received, 
it provides an indication to the the IFS circuit 28 that a 
valid window exists for reading from the data memory 
22. Assuming that the arbitration circuit on the stealth 55 
interface circuit 16 also grants access to the data mem- 
ory 22, then the stealth timing and control circuit 414 
will appropriately set the control status register 416. 
The data out control circuit 404 will respond by causing 
a DMA counter circuit 418 to start counting down to 60 
zero from a pie-set value. The DMA counter 418 will 
decrement with each data word read from the data 
memory 22. The DMA counter 418 in turn controls a 
DMA word count circuit 420 which generates an ad- 
dress in the transfer map 37. In other words, the DMA 65 
word count circuit 420 points to an address in the trans- 
fer map 37, which in turn points to an address in the data 
memory 22. Through this form of indirection, the IFS 



circuit 28 will read each of the locations of the data 
memory 22 that are specified in the transfer map 37 for 
the particular window permitted by the process control 
computer 12 through the stealth interface circuit 16. 

Refering to FIG. 11, a block diagram of the IFQ 
circuit 30 is shown. The IFQ circuit 30 includes the 
Intel 80186 microprocessor, as discussed above, and the 
program for this mi cr oprocessor is stored in EPROM 
420. Additionally, an address latch 422 is coupled to the 
address bus 424 of the microprocessor 42. Similarly, a 
data buffer 426 is connected to the data bus 428 of the 
microprocessor 42. A 64 Kb RAM circuit 430 is also 
coupled to both the address bus 424 and the data bus 
428. The RAM circuit 430 is used to store system data, 
such as one or more stacks and other operational data 
structures for the microprocessor 42. 

The IFQ circuit 30 also includes a fiber interface 
"daughter" board 432, which contains the circuits di- 
rectly responsible for transmitting and receiving signals 
over the fiber optic cables 32. In tins regard, block 434 
includes the two channels of light converters and re- 
ceiver circuits, and block 436 includes the two channels 
of fight converters and transmitter/receiver circuits, as 
discussed above With the Gazelle serial transmitter A 
receiver pairs, each of the fiber optic finks to the IFS 
circuits 2Sa~2Sb is capable of transmitting 2.5 million, 
40 bit frames per second. Block 44 represents the two 
128 Kb dam buffers used for initially storing SDSS and 
DSS data which is asynchronously received from the 
process control computers 12a— 126, as discussed in 
connection with FIG. 1. These "link" data buffers are 
preferably implemented using two independent memo- 
ries in a dual-port configuration, one for each fiber optic 
channel, in order to provide real-time uninterrupted 
gathering of process data and messages from the IFS 
circuits. The block 438 represents the provision of at 
least one word register (for each fiber optic channel) 
used to hold serial data to be transmitted to one of the 
process control computers 12o-12& 

The block 440 represent the logic circuits for control- 
ling the storing of information into die data buffers 44 
and the word register 438. The logic circuits 440 in- 
cludes one or more Programmable Array Logic 
("PAL") circuits for implementing a state machine for 
handling these data write operations. For example, 
when a forty bit data frame is received from one of the 
process control computers 12a-12b, the logic circuits 
440 will decode the address and control bit in order to 
steer the data bits to the appropriate memory location in 
the data buffers 44. The fiber interface daughter board 
432 also includes an interrupt circuit block 442 which 
contains the interrupt logic for helping the micro- 
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processor 42 understand the state of the data write ac- 
tivities. In this regard, at least two separate interrupt 
lines are used to interconnect the interrupt circuit block 
442 with the microprocessor 42 (one per fiber optic 
channel). Both the IFS circuit 28 and the fiber interface 5 
daughter board 432 of the JFQ circuit 30 also include a 
PAL state machine which examines incoming frames 
for errors (e.g., parity errors and 4 B/5 B link errors). In 
one embodiment of the front end communication sys- 
tem 10, all of the state machines on the IFQ circuit 30 10 
operate from a 20 MHz clock signal which is derived 
from the 10 MHz clock signal of the microprocessor 4Z 
The microprocessor 42 is programmed to provide at 
least two DMA engines for moving data. For example, 
the microprocessor 42 will respond to appropriate inter- 
rupt signals from the interrupt circuit block 442 by 
moving data from the data buffers 44 to a dual-ported 64 
Kb RAM circuit 444, which acts to provide a bucket 
brigade storage medium. Then, once sufficient data is 
stored in the dual-ported RAM circuit 444 (e.g., 8 Kb), 
the DMA state machine in the first in, first out 
(••FIFO") DMA control block 446 will move this data 
over the Q-bus 302 of the front end computer 18. Mem- 
ory cycles are preferably interleaved between both the ^ 
microprocessor 42 system bus and the Q-bus, with the 
system bus of the microprocessor 42 given top priority. 
A status register circuit 448 and a CSR circuit 450 are 
provided to transfer status and control information. 



15 



20 



transmitting said encrypted pseudo-random number 
to said first computer, and determining at said first 
computer whether said encrypted pseudo-random 
number is acceptable before permitting a desig- 
nated type of signal communication between said 
first and second computers, said encrypted pseudo- 
random number being determined to be acceptable 
if it matches an expected modification of the pseu- 
do-random number; and 

re-establishing said time limited communication con- 
tract between said first and second computers be- 
fore said predetermined time period expires to con- 
tinue said signal communication beyond said pre- 
determined time period, said time limited commu- 
nication contract being re-established on the basis 
of an acceptable response to the transmission of a 
new pseudo-random number from said first com- 
puter. 

2. The method according to claim 1, wherein said 
pseudo-random number has a digital length of at least 32 
bits, 

3. The method according to claim 1, wherein said 
designated type of signal communication includes an 
instruction from said second computer to said first com- 
puter which commands a modification of at least one 
process control variable. 

4. The method according to claim 1, wherein said 
pseudo-random number is encrypted by said second 
computer in accordance with an algorithm which is 



Additionally, as shown in FIG. 11, an address buffer 3Q luriqnc to ^ compiled version Q f an application pro- 



452 and a DMA/FIFO counter 454 are also coupled to 
the address lines of the dual-ported RAM circuit 444. 
Similarly, a DMA/FIFO data buffer 456 for the Q-bus 
302 and a data buffer for the microprocessor 42 are also 
coupled to the data lines of the dual-ported RAM cir- 
cuit 444. 

The present invention has been described in an illus- 
trative manner. In this regard, it is evident that those 
skilled in the art once given the benefit of the foregoing 



gram running in said first computer. 

5. The method according to claim 4, wherein said 
time limited communication contract is re-established at 
intervals of less than one minute. 
35 6. The method according to claim 5, wherein said 
predetermined time period is less than one minute. 

7. The method according to claim 6, wherein said 
predetermined time period is less than 30 seconds. 

8. A secure front end communication system for at 



disclosure, may now make m odifi c ations to the specific 44 one process control computer which controls the 
embodiments described herein without departing from operation of a physical process, comprising: 



the spirit of the present invention. Such modifications 
are to be considered within the scope of the present 
invention which is limited solely by the scope and spirit 
of the appended claims. 45 
What is claimed is: 

1. A method of providing secure communications 
between a plurality of computers on a network, com- 
prising the steps of: 

establishing a time limited communication contract 50 
between first and second computers on said net- 
work which wOl enable signal communication be- 
tween said first and second computers for a prede- 
termined time period, said time limited communi- 
cation contract being established on the basis of an 55 
unpredictable signal transmitted from said first 
computer to said second computer and an accept- 
able signal transmitted from said second computer 
in response to the transmission of said unpredict- 
able signal, said acceptable signal being different 60 
than but related to said unpredictable signal, the 
step of establishing said time limited communica- 
tion including the steps of 

generating a pseudo-random number 

transmitting said pseudo-random number to said sec- 63 
ond computer, 

generating an encrypted form of said pseudo-random 
number at said second computer, 



a computer network for enabling communication 

between a plurality of computers; 
at least one computer entity connected to said com- 
puter network; and 
at least one front end computer connected between 
said process control computer and said computer 
network, said front end computer having means for 
establishing a time limited communication contract 
with said computer entity for a predetermined time 
period on the basis of a pseudo-random number 
transmitted from said front end computer and an 
acceptable signal transmitted from said computer 
entity to said front end computer in response to the 
t ransmissio n of said pseudo-random number from 
said front end computer to said computer entity, 
said time limited communication contract enabling 
a designated type of signal communication from 
said computer entity to said process control com- 
puter and said acceptable signal being an encrypted 
form of said pseudo-random number; 
said front end computer including means for deter- 
mining whether said encrypted form of said pseu- 
do-random number is acceptable if it matches an 
expected modification of said pseudo-random num- 
ber said front end computer includes means for 
re-establishing said time limited communication 
contract with said computer entity before said 
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predetermined time period expires to continue said 
signal communication beyond said predetermined 
time period, said time limited communication con- 
tract being re-established on the basis of an accept- 
able response to the transmission of a new pseudo- 
random number from said front end computer. 

9. The secure front end communication system ac- 
cording to claim 8, wherein said pseudo-random num- 
ber has a digital length of at least 32 bits. 

10. The method according to claim 8, wherein said 
computer entity encrypts said pseudo-random number 
in accordance with an algorithm which is unique to the 
compiled version of an application program running in 
said process control computer. 

11. The secure front end communication system ac- 
cording to claim 10, wherein said time limited commu- 
nication contract is re-established at intervals of less 
man one minute. 

12. The secure front end communication system ac- 20 
cording to claim 11, wherein said predetermined time 
period is less than one minute. 

13. The secure front end communication system ac- 
cording to claim 12, wherein said predetermined time 
period is less than 30 seconds. 25 

14. The secure front end communication system ac- 
cording to claim 8, wherein said designated type of 
signal communication includes an instruction from said 
computer entity to said process control computer that 
commands a modification of at least one process control 30 
variable. 

15. The secure front end communication system ac- 
cording to claim 14, wherein said front end computer 
includes means for storing at least one permissive table, 
and means for determining whether such an instruction 35 
from said computer entity will be transmitted by said 
front end computer to said process control computer 
from a comparison of the process control variable 
sought to be modified and an enable indicator contained 
in said permissive table for said process control variable. 

16. The secure front end communication system ac- 
cording to claim 14, wherein said computer network 
includes a plurality of network segments, and means for 
preventing the transmission of a network message that 
includes such a variable modification instruction to the 
network segment on which said front end computer 
resides from at least one other network segment of said 
computer network. 

17. The secure front end communication system ac- 
cording to claim 8, further including a security server 
connected to said computer network, 

said security server having means for storing a secu- 
rity table which identifies the computer entities on 
said computer network that are permitted to send 55 
commands to said process control computer, and 
means for responding to a network message from 
said front end computer which requests a copy of 
said security table by transmitting a responsive 
network message which includes an encrypted 60 
transformation of an unpredictable component 
contained in said requesting network message from 
said front end computer. 
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18. A method of providing secure communications 
between a plurality of computers on a network, com- 
prising the steps of: 

establishing a time limited communication contract 
between first and second computers on said net- 
work which will enable signal communication be- 
tween said first and second computers for only a 
predetermined time period of pro-specified dura- 
tion, said time limited communication contract 
being established by generating an unpredictable 
signal at said first computer, transmitting said un- 
predictable signal to said second computer, gener- 
ating a predicable modification to said unpredict- 
able signal at said second computer, transmitting 
said modified unpredictable signal to said first com- 
puter, and determining at said first computer 
whether said modified unpredictable signal is ac- 

ceptable before permitting a designated " type of 

signal communication between said first and sec- 
ond computers; and 

repeatedly re-establishing said time limited communi- 
cation contract between said first and second com- 
puters before any current instance of said predeter- 
mined time period expires in order to continue said 
signal communication through an uninterrupted 
series of successive instances of said predetermined 
time period, said time limited communication con- 
tract being re-established on the basis of an accept- 
able modification to the transmission of a new un- 
predictable signal from said first computer. 

19. A secure front end communication system for at 
least one process control computer which controls the 
operation of a physical process, comprising: 

a computer network for enabling communication 
between a plurality of computers; 

at least one computer entity connected to said com- 
puter network; and 

at least one front end computer connected between 
said process control computer and said computer 
network, said front end computer having means for 
repeatedly establishing an uninterrupted sedes of 
successive time limited communication contracts 
of pre-specified duration with said computer entity 
on the basis of an unpredictable signal transmitted 
from said front end computer and an acceptable 
signal transmitted from said computer entity to said 
front end computer in response to the transmission 
of said unpredictable signal from said front end 
computer to said computer entity, said time limited 
communication contract enabling a designated 
type of signal communication from said computer 
entity to said process control computer and said 
acceptable signal being a modified form of said 
unpredictable signal said front end computer in- 
cludes means for re-establishing said time limited 
communication contract with said computer entity 
before said pre-specified duration expires to con- 
tinue said signal communication beyond said pre- 
specified duration, said time limited communica- 
tion contract being re-established on the basis of an 
acceptable response to the transmission of a new 
unpredictable signal from said front end computer. 
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